NethServer Community: EU Open Source needs YOU

If you care about open source becoming real digital sovereignty (not just a slogan), take 5 minutes and submit your feedback to the EU consultation:

Even a short message helps: ask for productization, long-term maintenance funding, security requirements (SBOM/signing), and “open source fair” procurement .

Let’s make sure the people shaping the rules hear from the builders — not only from the big vendors.

Thak you for your support!

What we said as Nethesis.

If the EU truly wants to reduce digital dependency, it must stop treating open source as “research” and start treating it as critical infrastructure and an adoptable product. Today Europe generates open source value, but it’s often scaled and monetized outside the EU, while public administrations and businesses remain stuck on proprietary stacks due to procurement, inertia, and lock-in.

The problem isn’t a lack of open source software.

The problem is that the EU mostly funds the birth of projects, but not enough:

• ongoing maintenance and security (patching, hardening, QA, vulnerability management);
• productization (packaging, documentation, reliable updates, migrations, UX);
• real adoption (legacy integration, training, support, SLAs).

Result: open source “exists”, but it doesn’t become the default choice in public administrations and SMEs.

What’s needed (concrete EU measures)

1. Incentives for adopting Open Source software, not only for innovation.
2. Vouchers or direct programs for public administrations and SMEs to migrate and integrate open source solutions (with measurable goals: reduced lock-in, portability, resilience, operational continuity).
3. Grants for those who build European open source products that are ready to use.
4. Funding EU companies that build and maintain product-oriented open source: release management, updates, documentation, roadmap, testing, support. Not “one-off features”: multi-year maintenance with clear accountability.
5. “Open source first” procurement where possible, and “open source fair” always.
6. EU tender specs and guidelines that remove criteria favoring incumbents (e.g., “vendor size”) and instead evaluate: interoperability, open standards, SBOM, artifact signing, governance, SLAs/support, exit strategy.
7. Mandatory supply chain security in critical contexts.
8. SBOM, signing, provenance/attestation, and vulnerability management policies must become minimum requirements for solutions adopted in public administrations and regulated sectors. Open source without supply chain security doesn’t scale; with these requirements, it scales better than opaque proprietary software.

Priority areas: Cybersecurity, VoIP, and Hybrid Cloud

• Cybersecurity: firewalls, network security, logging/monitoring, and supply chain tools are essential for resilience. The EU needs verifiable, governable EU alternatives here.
• VoIP/Unified Communications: communication is essential infrastructure for public sector, healthcare, and businesses. The EU should support reliable open source solutions (PBX/UC, SBC, identity integration, compliance) with migration and professional support.
• Hybrid cloud: the foundation for workloads and data. The EU needs reliable, supported EU/open source stacks for virtualization and hybrid cloud management (orchestration, storage/networking, identity and policy), to avoid infrastructure lock-in and keep portability across on-prem and cloud.

Conclusion

If the EU wants technological sovereignty, it must fund what changes the market: adoption + productization + secure maintenance. Having open source isn’t enough — it must become the easiest, safest, and most cost-effective choice for public administrations, ICT partners, and SMEs.

The Commission would like to hear your views [on Open Source]

The initiative seeks to support the EU’s tech sovereignty and competitiveness agenda.

The consultation aims to gather input and evidence on the state of play on open source in the EU, including on strengths, weaknesses, barriers to adoption, viable business models, value of open source for public and private organisations as well as possible actions that could boost the European open-source ecosystem.

Feedback period – 06 January 2026 - 03 February 2026 (midnight Brussels time)

Is Nethserver going to support OpenSUSE as subscription distro?
AFAIK currently is the only EU-Resident distro (after the Mandrake self-estinguish)

NS8 can run on any Linux distribution that provides systemd and Podman. From a technical perspective, adding support for a specific distribution requires limited effort, provided there is concrete interest and a maintainer willing to support it.

When I read about a European open-source ecosystem, I primarily think about people (companies, contributors, and users) rather than distributions or code itself. Open-source code has no nationality.

Open-source code can be seen, but legally several times cannot be forked or legally used in other products (payed or not is currently not part of the topic IMVHO).
Because…

Copyright holders already had some… change of hearts during open source software history.
Redis

RedHat (now owned from IBM)

which by the way is the owner also of the podman project.
MySQL (that generated MariaDB fork).

Let’s take some notes of key parts of NethServer products.

Linux Foundation, owner of the trademark of Linux and biggest kernel propeller is a non-profit organization in San Francisco. Most of the partners are not EU-based.
Podman, as stated before, is a project propelled by a US-based and owned company.
Wireguard is a trademark of a US citizen owner of a US and France based company.
Asterisk is fueled by a US-based company now owned by a canadian-based company.
PostgreSQL is owned as copyright by PostgreSQL Global Development Group which is based at Santa Barbara, US.
Apache Foundation is a Delaware-based nonprofit corporation.
Last but not least: Rocky Linux and RESF are propelled from several US Sponsors, starting with Ctrl IQ Inc from Albany which is founding sponsor.

Currently a lot of open source software is heavily US founded and copyright held. GPL is not the only license, and even a permssive one like BSD is born in Berkely University.

It is a long way to gain digital sovereignity.

I’m not a lawyer.

But - AFAIK due to the US Cloud Act, at least in Germany/Europe the DSGVO/GDPR conflicts heavily with ANY software/data/connections held in a US cloud, or even in a cloud belonging to a US company. And most (Open Source) software in our days is phoning back home –> to US cloud or infra to share/collect data. Of course only to improve whatever… Open Source or not.

If I’m wrong, please correct me.

Therefore:

Not quite sure about this. If you’re brilliant enough you’ll end as billionaire, you’re idea/software/open source bought from silicon valley. Have a look at Github and M$. Who else will give you the money? See also the comments of @pike

Yes, Open Source needs help. So far this can only happen, if the EU does really want this. And to make this happen, a lot money is needed.

I agree.

Yes, but it looks like it’s becoming really important given the latest geopolitical news.
And as OSS enthusiasts we need to play our part

The question remains, @alefattorini . Because the only distro this project is actively supporting (with money earned for the company) is US-Based as source (RedHat) and US-Based as mantainers (Rocky Linux) and sponsors…

I may be misunderstanding your question, @pike, but it sounds like you are equating “digital sovereignty” with using only open-source software produced by EU companies. My understanding is slightly different: the real challenge is how to support EU people and organizations that develop and maintain open-source software, because open source - when properly governed - has proven to be more resilient to the kind of governance and licensing issues you mentioned.

How come everybody thinks Open Source can be confined to EU companies, people and organisations. The very nature of Open Source says it all, OPEN to all, e.g. kernel.org

So it boils down to audits, governance according to a planned outcome. What is the desired outcome and how to safeguard the outcome (read, processing and data storage), forget about technical aspects, they are by far not on the thoughts roadmap.

True.

Anyway - if anyone is seeking for help (money) from the EU to develop/maintain any kind of Open Source, rule no. 1 is to follow the GDPR. And right now it seems to me, that’s nearly impossible. Out of curiosity: anyone in here using STACKIT?