The Missing Level: Why EU Open Source Fails Locally
Script for FOSDEM talk @ Dev Room: Open Source and EU Policy
URL: https://fosdem.org/2026/schedule/event/XCQW98-why-eu-open-source-fails-locally
Author: Rasmus Frey, rasmus@os2.eu
Minute 0:00-1:00 | Opening
I want to start by being very explicit.
What I’m about to say is a deliberately sharpened argument.
What I share draws from practical experience leading Denmark’s OS2 collaboration - years of attempting to make open source work at local municipal scale.
The claim is:
European open source policy fails locally - because it is designed for the wrong level.
Minute 1:00–3:30 | Point 1 - The missing level
Europe builds digital policy in a multi-level system.
The EU sets ambitions.
National governments translate them into strategies.
Local governments are expected to implement.
This division of responsibility makes sense democratically.
But it is also where implementation often breaks down. This is where policy meets reality.
Denmark is not unique in this.
Across Europe, the form differs. But implementation and risk are pushed downward, while control remains upward.
Local authorities carry responsibility for delivery.
But they often lack incentives, competencies, and protection against risk.
They are not unwilling.
They are constrained - and focused on keeping existing systems running.
So open source becomes optional.
Digital sovereignty becomes aspirational.
And strategies remain documents rather than systems.
From my work in Denmark’s OS2 community, one insight stand out:
Policy designed for one level but implemented at another transfers risk without transferring power - and that structure guarantees failure.
Minute 3:30–6:30 | Point 2 - Not a technology problem
In many public institutions, digitalisation is perceived as so complex that it is better left to others.
This creates a culture of distance rather than ownership.
Open source suffers as a consequence, because it is assumed to require even more competence and responsibility.
Out of this culture grows a convenient explanation: that the problem is technical quality rather than structural power.”
This explanation does not hold up when confronted with how public institutions already operate.
A typical Danish municipality already runs 300 to 500 IT systems.
Many are deeply integrated.
This is not unique to Denmark.
Complexity is not new.
It is already managed every day.
Replacing software is rarely the main challenge.
Transitioning organisations are.
Take the digital workspace.
Open alternatives exist.
But when the underlying infrastructure remains locked the workspace becomes a surface layer on top of deeper dependencies.
We are just changing what users see without changing what binds the organisation.
And this is not an accident.
Governance, contracts, competence profiles, and leadership structures are set up to minimise blame - not to enable transition.
And another uncomfortable truth.
Large IT vendors are often invited into advisory roles.
They help define what is considered realistic.
They shape procurement culture.
When vendors define realism, sovereignty rarely follows.
So let me be clear:
This is not a software problem.
It is a governance, culture, and power problem.
Minute 6:30–8:30 | What needs to change
So if Europe is serious about digital sovereignty, policy must enable the level that implements - not just the level that decides.
That requires three shifts:
Risk must be redistributed.
Local actors cannot bear all implementation risk while having no control over strategy. They need room to experiment, fail, and transition without being punished for taking responsibility.
EU institutions must demonstrate feasibility - must walk the talk.
If open source and sovereign solutions are good enough for Europe, prove it works in Brussels first.
New projects must become the exception that challenges the norm - stop doing what we have always done.
Because right now, we are already deep in a hole and continuing as before only digs it deeper.
But we are still designing solutions for the level that must change, without involving that level in the conversation.
We are writing strategies. And every strategy assumes the implementation level will somehow figure it out.
It won’t.
Minute 8:30–9:30 | Closing
We know what needs to change.
The question is whether we are willing to start treating governance, risk, and power as the actual challenge.
Because right now, every new strategy, every new funding program, every new OSPO initiative assumes the missing level will somehow figure it out.
It won’t.
So what will you do differently on Monday?
Will you ask: who bears the risk, who holds the power, and what structural conditions must change before any of this can work at scale?
If you want to move someone, you must first understand them.
That means standing where they stand, not where you want them to be standing.
Thank you.
Panel: Public Procurement for Digital Sovereignty
Primary question and answer in the panel after my talk
URL: https://fosdem.org/2026/schedule/event/WKCBGM-procurement-sovereignty/
Author: Rasmus Frey, rasmus@os2.eu
Question: What policy action can the EU take now, particularly with the Public Procurement Framework revision?
Answer: This is one of those questions where at first I think I have an answer, but the the answer opens three new problems. And I’m in no way an expert on procurement - but let me share where my thoughts.
Procurement must actively protect public actors’ room to operate - not just permit it. That requires some things:
First: A procurement must require transparent exit-cost as a standard evaluation criteria.
And not just technical migration cost - but the total cost of transition. What does it actually cost to leave this specific vendor/product in let’s say three years? This makes the lock-in economically visible before the contract is signed, not after.
Second: The EU should develop and maintain standardized procurement specifications for digital sovereignty.
Not guidelines. Not recommendations. But actual specifications that national and local authorities can use without bearing legal risk. And to take the vision further. If we’re serious about this, these specifications should themselves be maintained as an open source project - with transparent governance and professional resourcing …. Let’s Walk the talk.
Third: Somehow establish legal safe harbor for authorities who use these specifications.
Right now, local implementers bear all the risk when they challenge vendor dominance and there are currently tools in the box not being used because of risk-avoidance. If the EU wants local actors to implement EU ambitions, the EU must bear the risk when those actors follow EU guidance.
I have not solved this. The point is that we must design the structures that can carry on the strategies. The procurement revision is an opportunity to do it differently - to align risk with ambition, and to activate the level where change must actually happen.