Open source software forms the scaffolding of modern digital economies, powering everything from mission-critical infrastructure to mobile apps, yet the world’s financial commitment to its maintenance and sustainability remains startlingly tenuous. This disconnect was cast into sharp relief by GitHub—now owned by Microsoft—when the platform’s director of developer policy, Felix Reda, issued a forceful plea to the European Union: establish a robust, publicly funded “Sovereign Tech Fund” (EU-STF) to reinforce the open source software ecosystem.
This call comes on the heels of both mounting evidence of chronic underfunding for open digital infrastructure and fresh research commissioned by Open Forum Europe, Fraunhofer ISI, and the European University Institute into the operations of Germany’s own Sovereign Tech Agency. The debate now hinges not only on whether the EU shoulders this new fiscal responsibility but also, pointedly, whether giants like Microsoft ought to contribute more directly, given their immense profits from open source–enabled economies.
Open source software is often described as the invisible backbone of today’s interconnected societies. Felix Reda distilled the situation with bracing clarity: “Open source software is open digital infrastructure that our economies and societies rely on. Nevertheless, open source maintenance continues to be underfunded, especially when compared to physical infrastructure like roads or bridges. So we ask: how can the public sector better support open source maintenance?”
Their argument is difficult to dispute from a systemic perspective. The European Commission estimates that open source contributes between €65 billion and €95 billion ($76.5 billion–$111.8 billion) each year to the EU economy. A global estimate balloons to $8.8 trillion in value. Yet, most open source maintenance is orchestrated by small teams or individual enthusiasts—many operating on a shoestring. This imbalance leads to glaring fragilities: projects underpinning global commerce, government platforms, and essential services can crumble from neglect, lack of updates, or security vulnerabilities left unpatched due to chronic resourcing gaps.
The envisioned Sovereign Tech Fund would streamline access for open source maintainers: a single, easy-to-navigate platform for funding applications. Borrowing design cues from GitHub’s Secure Open Source Fund—which provides select maintainers with $10,000 grants—the EU fund would cast its net more widely, offer larger grants, and operate as a politically independent, community-driven resource. The recommendations stress minimal bureaucracy and prioritize independence to ensure trust and accessibility within the open source community.
Daniel Stenberg, lead developer of cURL and president of the European Open Source Academy, put it bluntly in support of the proposal: “Current digital infrastructure is to a large degree built on layers and layers of open source, and yet a substantial part of this open source is built and maintained by enthusiasts or other financially- and resource-constrained teams. Funding options like the EU-STF proposal can truly help enforce the ecosystem and offer new paths towards sustainability.”
There is a real-world precedent already in operation. Germany’s Sovereign Tech Agency, established with a small budget, has funded work on dozens of pivotal open source projects. Its model places community needs at the center, with flexibility to respond to evolving technological challenges, and has advocated scaling up both funding and operational reach in coming years.
There’s a long-standing tension here. Open source communities often eye substantial corporate contributions with suspicion, wary of co-opting influence or tilting governance towards profit-driven motives. Conversely, reliance on the public purse alone creates its own pitfalls, particularly at a time of fiscal tightening across Europe. Critics argue that powerful industry stakeholders should commit a fair share of the burden, both on moral and practical grounds, given their vested interests in digital stability.
Yet Microsoft’s actual direct financial support of open source projects remains relatively modest when weighed against its profits. Its most high-profile, the Secure Open Source Fund, is selective and narrow in scope. This reinforces the perception that, for all its rhetoric, Microsoft has yet to fully align its financial interests with the broader good of the open source community.
Her recommendations mirror an emerging consensus: funding must tie to actionable processes—whether that means project vetting, examiner training, or encouraging communities that nurture software after its initial funding phase is complete. Dumping code onto GitHub is not enough; without stewardship, transparency, long-term maintenance, and community engagement, open source risks becoming “abandonware” as quickly as it is funded.
OpenUK’s evolving blueprint, still under discussion with the UK public sector, encapsulates these concerns. In addition to direct funding, it envisions innovation management systems and models enabling national infrastructure to be genuinely underpinned by a vibrant, sustainable open source environment.
Politics are another danger. Ideally, the fund would operate independently, insulated from direct state or commercial interests, and governed by a board representing both developers and wider public stakeholders. This independence is crucial if the initiative is to retain credibility and avoid charges of favoritism, inefficiency, or politicization.
Questions remain about the precise mechanisms by which the Sovereign Tech Fund would interact with existing initiatives, such as the German model or national-level tools in France, the UK, and elsewhere. The EU is a notoriously fragmented regulatory landscape, and any successful scheme will need to bridge national and continental programmes without duplication, waste, or unnecessary competition.
Funding alone, however, cannot solve all these issues. It must be accompanied by investments in secure coding, audit mechanisms, and support for long-term stewardship. Many critical projects have no formal governance, making it difficult to direct funds or mandate security fixes. Building resilience thus also requires cultural and infrastructural change within the open source community—a challenge far larger than any check alone can solve.
Meanwhile, private foundations (such as the Mozilla Foundation or the OpenSSF) and global NGOs have been tried-and-tested vehicles for targeted funding. Each model has distinct strengths: private funds can be nimble, government backing brings scale, and philanthropic organizations bridge public-private divides. Coordination rather than duplication—building on what works and learning from what fails—will be essential for any EU-level effort.
Yet significant hurdles remain. Tight fiscal environments across the EU favor caution; any new expenditure will be scrutinized against priorities like energy security, climate action, and health. Moreover, the lack of consensus about the appropriate scale, governance, and focus of such funding adds friction.
The process is further complicated by national interests. Germany’s Sovereign Tech Agency, France’s efforts, and the UK’s policy-first experiments all highlight a patchwork of existing measures. Integrating or supplementing these efforts with EU funds requires delicate negotiation.
Meanwhile, it remains to be seen whether industry stakeholders will step up. For all their reliance on open source, most large corporations continue to exert outsized influence on projects critical to their operations while minimizing financial contributions. Calls to formalize industry buy-in are likely to intensify as the debate over public versus private duty continues.
Yet, risks abound. Too much bureaucracy, or funding poorly governed projects, risks breeding cynicism—and waste. Without robust mechanisms for monitoring, accountability, and follow-on support, funded projects could quickly wither, compounding rather than solving the “abandonware” problem. The absence of explicit corporate contributions allows industry players a “free ride,” potentially undermining public trust.
Moreover, questions remain about whether such a fund, even at €350 million, can make a material difference across the sprawling European digital landscape. A single vulnerability in a widely relied-upon project can have catastrophic results, and it is unclear whether increased funding by itself can foster the deep, systemic resilience required. Cultural, organizational, and community challenges may prove at least as formidable as financial ones.
Whatever the outcome, one lesson is clear: open source is now a matter of public interest and strategic capacity, as integral to Europe’s future as its roads, power grids, and railways. The coming years—shaped by new funding models, policy experiments, and ongoing collaboration between the public and private sectors—will determine whether Europe builds a digital ecosystem as secure, resilient, and inclusive as the values it claims to champion.
Source: theregister.com Microsoft-owned GitHub says open source needs to be funded
This call comes on the heels of both mounting evidence of chronic underfunding for open digital infrastructure and fresh research commissioned by Open Forum Europe, Fraunhofer ISI, and the European University Institute into the operations of Germany’s own Sovereign Tech Agency. The debate now hinges not only on whether the EU shoulders this new fiscal responsibility but also, pointedly, whether giants like Microsoft ought to contribute more directly, given their immense profits from open source–enabled economies.
The Hidden Foundations of Our Digital World
Open source software is often described as the invisible backbone of today’s interconnected societies. Felix Reda distilled the situation with bracing clarity: “Open source software is open digital infrastructure that our economies and societies rely on. Nevertheless, open source maintenance continues to be underfunded, especially when compared to physical infrastructure like roads or bridges. So we ask: how can the public sector better support open source maintenance?”Their argument is difficult to dispute from a systemic perspective. The European Commission estimates that open source contributes between €65 billion and €95 billion ($76.5 billion–$111.8 billion) each year to the EU economy. A global estimate balloons to $8.8 trillion in value. Yet, most open source maintenance is orchestrated by small teams or individual enthusiasts—many operating on a shoestring. This imbalance leads to glaring fragilities: projects underpinning global commerce, government platforms, and essential services can crumble from neglect, lack of updates, or security vulnerabilities left unpatched due to chronic resourcing gaps.
GitHub’s Sovereign Tech Fund Proposal
Against this backdrop, GitHub’s proposal is blunt. Drawing on the successful yet modest model of Germany’s Sovereign Tech Agency—which began distributing €1 million ($1.18 million) in 2022 and grew its funding to just over €23 million ($27 million)—GitHub urges the EU to scale up, continent-wide. The request: “no less than €350 million” ($412 million) as a starting block for the EU-STF, sourced from the upcoming EU multiannual budget. For comparison, such a contribution is less than half a percent of Microsoft’s last reported annual profit of $72.3 billion.The envisioned Sovereign Tech Fund would streamline access for open source maintainers: a single, easy-to-navigate platform for funding applications. Borrowing design cues from GitHub’s Secure Open Source Fund—which provides select maintainers with $10,000 grants—the EU fund would cast its net more widely, offer larger grants, and operate as a politically independent, community-driven resource. The recommendations stress minimal bureaucracy and prioritize independence to ensure trust and accessibility within the open source community.
Why Public Funding, and Why Now?
The core rationale for public investment in open source is straightforward: if open digital infrastructure ranks in importance with bridges and highways, then society should treat its upkeep as a shared public responsibility. “There is a profound mismatch between the importance of open source maintenance and the public attention it receives,” argues Reda. Indeed, the economic value generated by open source dwarfs its support structures, a fact recognized by both EU policymakers and private analysts. Still, the open source world’s dependency on ad hoc volunteer labor creates systemic risk: any collapse or compromise in foundational software could cascade through entire industries, supply chains, and even public safety systems.Daniel Stenberg, lead developer of cURL and president of the European Open Source Academy, put it bluntly in support of the proposal: “Current digital infrastructure is to a large degree built on layers and layers of open source, and yet a substantial part of this open source is built and maintained by enthusiasts or other financially- and resource-constrained teams. Funding options like the EU-STF proposal can truly help enforce the ecosystem and offer new paths towards sustainability.”
There is a real-world precedent already in operation. Germany’s Sovereign Tech Agency, established with a small budget, has funded work on dozens of pivotal open source projects. Its model places community needs at the center, with flexibility to respond to evolving technological challenges, and has advocated scaling up both funding and operational reach in coming years.
The Case For and Against Direct Corporate Funding
Perhaps the most politically charged aspect of the debate is who pays. The Register, in typical acerbic fashion, noted that Microsoft appears “eager to spend other people's money wherever possible,” citing the company’s enormous bottom line and the implications of using public funds to subsidize infrastructure it profits from. GitHub’s proposal, as it stands, does not explicitly call for Microsoft or itself to contribute, instead recommending a coalition of industry, national governments, and EU authorities.There’s a long-standing tension here. Open source communities often eye substantial corporate contributions with suspicion, wary of co-opting influence or tilting governance towards profit-driven motives. Conversely, reliance on the public purse alone creates its own pitfalls, particularly at a time of fiscal tightening across Europe. Critics argue that powerful industry stakeholders should commit a fair share of the burden, both on moral and practical grounds, given their vested interests in digital stability.
Yet Microsoft’s actual direct financial support of open source projects remains relatively modest when weighed against its profits. Its most high-profile, the Secure Open Source Fund, is selective and narrow in scope. This reinforces the perception that, for all its rhetoric, Microsoft has yet to fully align its financial interests with the broader good of the open source community.
Open Source Community Responses: Looking Beyond Funding
It is clear public funding alone is no panacea. Amanda Brock, CEO of OpenUK, draws from hands-on experience with the UK public sector to stress a holistic approach. “As the world’s first country to have an open source first policy in its public sector, we have a head start on understanding what is needed and funding is indeed absolutely critical,” she told The Register. But, she warned, deploying funds wisely requires careful strategy: rigorous landscape reviews, training for those assessing proposals, procedures for grant recipients to ensure code longevity, and mechanisms to build sustainable developer communities.Her recommendations mirror an emerging consensus: funding must tie to actionable processes—whether that means project vetting, examiner training, or encouraging communities that nurture software after its initial funding phase is complete. Dumping code onto GitHub is not enough; without stewardship, transparency, long-term maintenance, and community engagement, open source risks becoming “abandonware” as quickly as it is funded.
OpenUK’s evolving blueprint, still under discussion with the UK public sector, encapsulates these concerns. In addition to direct funding, it envisions innovation management systems and models enabling national infrastructure to be genuinely underpinned by a vibrant, sustainable open source environment.
Bureaucracy, Independence, and Governance
Multiple experts stress that any EU-wide Sovereign Tech Fund must avoid the pitfalls of excess bureaucracy. Efficiency is vital. Burdening maintainers with arduous grant applications risks prioritizing those with resources to work the system, rather than those most in need. The proposal advocates a streamlined process, with transparent criteria for awarding funds and routine assessment to ensure projects remain well-aligned with public need.Politics are another danger. Ideally, the fund would operate independently, insulated from direct state or commercial interests, and governed by a board representing both developers and wider public stakeholders. This independence is crucial if the initiative is to retain credibility and avoid charges of favoritism, inefficiency, or politicization.
Questions remain about the precise mechanisms by which the Sovereign Tech Fund would interact with existing initiatives, such as the German model or national-level tools in France, the UK, and elsewhere. The EU is a notoriously fragmented regulatory landscape, and any successful scheme will need to bridge national and continental programmes without duplication, waste, or unnecessary competition.
The Broader Risks: Sustainability and Security
The call for an EU-wide Sovereign Tech Fund comes amid an escalating series of security incidents born of open source neglect. Recent European and global events have made it clear: vulnerabilities in widely used open source components can trigger continent-wide, even global, crises. From the infamous Heartbleed bug in OpenSSL to major attacks on supply chain libraries, the risks tied to neglected infrastructure have never been clearer.Funding alone, however, cannot solve all these issues. It must be accompanied by investments in secure coding, audit mechanisms, and support for long-term stewardship. Many critical projects have no formal governance, making it difficult to direct funds or mandate security fixes. Building resilience thus also requires cultural and infrastructural change within the open source community—a challenge far larger than any check alone can solve.
Alternative Models and Lessons from Abroad
While Germany and the EU are under the spotlight, other nations provide useful lessons. The US has seen nascent federal action with the White House’s Open Source Software Security Initiative, though its focus remains much more tightly on cybersecurity than general infrastructure. China’s approach is even more vertically integrated, using state resources to promote domestic open source alternatives in an attempt to establish wider digital sovereignty.Meanwhile, private foundations (such as the Mozilla Foundation or the OpenSSF) and global NGOs have been tried-and-tested vehicles for targeted funding. Each model has distinct strengths: private funds can be nimble, government backing brings scale, and philanthropic organizations bridge public-private divides. Coordination rather than duplication—building on what works and learning from what fails—will be essential for any EU-level effort.
The Road Ahead: Timing, Commitment, and the Path to Resilience
Supporters of an EU Sovereign Tech Fund argue that the time for action is now. Digital transformation is accelerating, and political leaders increasingly acknowledge the centrality of open source to both economic growth and strategic autonomy. Europe’s Digital Decade strategy, for instance, highlights sovereignty and secure digital infrastructure as core goals, setting the scene for expanded public investment.Yet significant hurdles remain. Tight fiscal environments across the EU favor caution; any new expenditure will be scrutinized against priorities like energy security, climate action, and health. Moreover, the lack of consensus about the appropriate scale, governance, and focus of such funding adds friction.
The process is further complicated by national interests. Germany’s Sovereign Tech Agency, France’s efforts, and the UK’s policy-first experiments all highlight a patchwork of existing measures. Integrating or supplementing these efforts with EU funds requires delicate negotiation.
Meanwhile, it remains to be seen whether industry stakeholders will step up. For all their reliance on open source, most large corporations continue to exert outsized influence on projects critical to their operations while minimizing financial contributions. Calls to formalize industry buy-in are likely to intensify as the debate over public versus private duty continues.
Critical Analysis: A Double-Edged Proposition
The strengths of an EU Sovereign Tech Fund are manifest. It would place digital infrastructure on par with other forms of public investment, acknowledge the essential role of maintainers, and address the glaring mismatch between economic value and resource allocation. A well-run fund could seed dozens of critical projects with lifelines they need, make open source development more resilient, and secure Europe’s digital future against both accidental failure and targeted cyberattack.Yet, risks abound. Too much bureaucracy, or funding poorly governed projects, risks breeding cynicism—and waste. Without robust mechanisms for monitoring, accountability, and follow-on support, funded projects could quickly wither, compounding rather than solving the “abandonware” problem. The absence of explicit corporate contributions allows industry players a “free ride,” potentially undermining public trust.
Moreover, questions remain about whether such a fund, even at €350 million, can make a material difference across the sprawling European digital landscape. A single vulnerability in a widely relied-upon project can have catastrophic results, and it is unclear whether increased funding by itself can foster the deep, systemic resilience required. Cultural, organizational, and community challenges may prove at least as formidable as financial ones.
Conclusion: Open Source at a Crossroads
As the EU weighs the prospect of a dedicated, multi-million-euro Sovereign Tech Fund, the broader world watches closely. The stakes are clear: open source is foundational, yet fundamentally underfunded and undervalued. Whether the EU will succeed in setting a new benchmark for public investment in digital infrastructure remains to be seen. The debate — intensely public and deeply political — highlights just how far digital infrastructure has come since its origins in volunteer labor and academic hackathons.Whatever the outcome, one lesson is clear: open source is now a matter of public interest and strategic capacity, as integral to Europe’s future as its roads, power grids, and railways. The coming years—shaped by new funding models, policy experiments, and ongoing collaboration between the public and private sectors—will determine whether Europe builds a digital ecosystem as secure, resilient, and inclusive as the values it claims to champion.
Source: theregister.com Microsoft-owned GitHub says open source needs to be funded
