A few weeks ago, OSS EU ’25 and OpenSSF Community Day took place in Amsterdam. This article is inspired by the talks at these events and aims to connect some of the recurring themes. One key question stands out: should the European software industry rethink its ways of working and its reliance on a small set of individuals? And, secure European funding for Open Source projects—assets we all depend on— that are so crucial?
Legislation is coming.
The Cyber Resilience Act (CRA) is no longer a distant topic — we are already six months in. The first concrete obligations take effect in September 2026, and full enforcement will follow in 2027. The pressing question is: are we, as an industry, truly ready? Do we fully understand our roles, responsibilities, and obligations under this new framework? Studies report that the majority of the software industry has little or no familiarity with the CRA [1].
One of the most significant requirements of the CRA is the obligation to publish vulnerabilities. This is widely accepted across the industry as the professional and responsible way to avoid unnecessary harm to third parties. But the legislation doesn’t stop there — it goes a step further, requiring that we also publish mitigations if we have developed them within our products.
At first glance, this may sound like excellent news for the upstream open-source community. But what happens if a contributor hasn’t signed the project’s CLA? Or if they relicense the fix under terms unacceptable to the community? Or if the fix resolves one issue but breaks another use case? While the intention behind the legislation is positive, these open questions could lead to greater fragmentation within open-source communities and impose additional burdens on maintainers.
And vulnerabilities are just one piece of the CRA puzzle. The Act reinforces that manufacturers are responsible and liable for faults in their digital elements. But in today’s complex software supply chains, your responsibility doesn’t end with Open Source you pull in yourself but extends to Open Source brought by your suppliers. Are your suppliers aware of their obligations? Have you accounted for this in your supplier relationships and contracts?
The reality is that companies are at very different stages of readiness when it comes to engaging with open-source communities — and this uneven maturity creates further challenges for implementing the CRA effectively. We are already six months into the first stage of the CRA, and the clock is ticking.
European Sovereignty & Open Source
The debate around “EU Open Source” has resurfaced. But it’s important to remember: by definition, Open Source is global. Europe is home to many strong contributors, yet the majority of funding for OSS still comes from the U.S. Perhaps the more pressing question for Europe is: how can we strengthen funding and ensure long-term support for Open Source projects here?
When we look at how companies support OSS communities, contributions typically fall into two categories:
- Funding projects or maintainers
- Contributing labor through employees actively engaging in project development
On the funding side, the imbalance between the U.S. and the rest of the world is striking. Recent studies [2] show that 65% of VC-backed commercial open source software (COSS) companies are U.S.-based—double the share of U.S. software companies overall. By comparison, the global distribution of software company headquarters is: 33% U.S., 25% Europe, 28% Asia, and 14% elsewhere. This highlights a clear gap in commercial engagement between the U.S. and the rest of the world.
COSS companies also tend to outperform closed-source companies: they raise funds faster, achieve higher valuations, and see stronger results at IPOs and M&A events. Yet if we turn to the Open Source Contributor Index (OSCI) [3], we see another imbalance: among the top 10 contributors, only two are European. Given the size of Europe’s software industry, this is a significant underrepresentation.
Looking at the Cloud Native Computing Foundation (CNCF)—one of the fastest-growing Open Source communities—provides another perspective. Ranked by contributions over the past year [4], the top six organizations are all U.S.-based, led by Red Hat, Microsoft, and Google. SUSE appears at seventh, Ericsson at fifteenth, and Spotify at twenty-first. Sweden shows strong commitment through corporate investment (hiring developers to work upstream), but beyond that, no other European countries appear in the top 50. Europe not only lags behind the U.S., but also Asia, where DaoCloud, Huawei, Alibaba, and Ant Group are major contributors.
Securing Our Software Supply Chains
Across the industry, one thing is clear: securing supply chains is no longer optional. The OpenSSF has outlined best practices, but we need stronger, collective action to put them into practice. Open Source is a critical asset for the entire software industry — much like the machines in a paper mill. If the machines are left unattended, the factory loses value and eventually becomes unusable. The same holds true for Open Source: without sustained investment, support, and care for maintainers, we risk allowing vital infrastructure to decay.
As discussed earlier in this article, new legislation is on the starting to take effect in the form of the Cyber Resilience Act (CRA). This will require companies selling digital products in the European Union to take responsibility for maintaining and fixing security vulnerabilities in their offerings. At the same time, there is a clear lack of engagement from European companies in Open Source contributions. This imbalance poses a serious threat to the European software industry unless we act now.
Like the rest of the world, European software companies rely heavily on Open Source — in some cases, as much as 85% of a product is built on Open Source. Yet, there is little commercial investment to ensure this foundation remains secure and up to date. The question for industry leaders is pressing: how will you meet these new obligations without actively supporting the very Open Source infrastructure your products depend on?
Conclusion
Open Source is more than code—it’s a shared global asset. To keep it secure, reliable, and thriving, Europe must play its part: funding projects, supporting maintainers, and contributing actively. The future of the software industry depends on it.
References
[1] Unaware and Uncertain - The Stark Realities of Cyber Resilience Act Readiness in Open Source
[2] Linux Foundation / Serena Capital Report