Open Source Summit Europe 2025

As software becomes increasingly critical to the functioning of the state, economy, and society, ensuring its security and stability is a core task for governments. Secure software supply chains are a key component of this effort and a decisive factor for successful digitalisation. To effectively guarantee supply chain security, a new approach to IT security architecture is required, one that brings together the expertise of security experts, developers, and government agencies to standardise testing procedures and facilitate collaborative security analyses. The openCode platform, run by the German Centre for Digital Sovereignty (ZenDiS), is central in addressing this challenge: by establishing binding security standards, promoting transparency, and enabling the tracing of origins for critical software components, openCode helps build resilient, sovereign OS infrastructure for public administration. A recent strategy paper published by ZenDiS and the German Federal Office for Information Security develops a strategy on how to secure software supply chains with openCode, which will be presented in this talk. 

The public sector has been an active user of Open Source Software (OSS) since its inception. Yet, adoption and reuse have fluctuated, along with the many policies and initiatives providing guidance and support. On the positive side, there is a wealth of experience to draw from.

In this presentation, we aim to inspire and provide insights from a study of 16 countries that are mature in their digital practices, as indicated through a set of digital maturity indicators. These countries are surveyed regarding government policies, rationales, support mechanisms, means of promotion, and success stories on OSS adoption.

We find diverse means in how policy is designed and motivated to support both the adoption and use, as well as development and release of OSS across sectors. The cases further provide in-depth examples of how the policies can be supported and enabled using Open Source Program Offices (OSPOs), communities, and codified knowledge.

Based on our findings, we will provide attendees as well as policy- and decisionmakers at national, regional, and local government levels, with recommendations for designing and fostering sustainable policies for OSS adoption.

The CNCF’s Cloud Native Public Sector User Group, founded in 2023, aims to advance cloud-native best practices within the public sector, with a focus on improving workflows and supply chain security.

Public sector organizations face unique and evolving challenges that complicate software supply chain security. These include the absence of standardized practices for what software can enter isolated networks, no shared root of trust, and a lack of frameworks for integrating public and private attestations. There's also no guidance for using shared, non-public infrastructure—hindering trust and automation.

This talk, based on learnings from the groups recent publications, explores how public sector consumers can receive trusted attestations that prove origin, integrity, and authorship—across companies, networks, and government entities. It also asks: what’s the minimum assurance needed for trust, and how do we balance stringent requirements without sidelining small suppliers?

Key Takeaways:

• Current challenges in public sector supply chain security

• Emerging needs for trust, attestations, and integration

• Ideas for equitable, scalable solutions across supplier sizes

The Cyber Resilience Act’s implementation deadline is 2027, but most organisations are reporting their current unreadiness. In this panel we lay bare the responsibilities individuals, maintainers, and foundations are required to conform to through four varying lenses: the CEO of open source foundation OpenUK; CTO of open source supply chain firm Kursai; OSPO PM for security multinational Sonatype; and CEO of open source security consultants ControlPlane. They hold current and previous security and open source leadership positions across The Linux Foundation, Canonical, OpenSSF, CNCF, FINOS, and OpenUK, and have been working on CRA responses and accountability since 2022.

Join us to discuss community responses to compliance, the Linux Foundation’s approach to self-attestation, and strategies for preparing your organisation's response to the impending legislation.

Software Bills of Materials (SBOM) have started strong, but there’s still more to say about our software. The 2021 Minimum Elements have served as a common specification for implementation around the world but, as many have noted, they are a bit dated. The Cybersecurity and Infrastructure Security Agency (CISA) has drafted an updated “Minimum Elements for a Software Bill of Materials (SBOM).”

This presentation will provide an overview of the draft 2025 CISA SBOM Minimum Elements and explain the factors that influenced the decisions behind the proposed updates. After reviewing the context of the 2021 NTIA Minimum Elements, the presentation will summarize the changes CISA has observed in the SBOM landscape since 2021 and provide an overview of the draft CISA Minimum Elements, noting how the proposed updates fit in with other regulations and guidance around the world. Finally, the presentation will explain key decisions made in the development of the updated Minimum Elements, closing with a PSA on how the community can share their thoughts and suggestions with CISA. The presentation will conclude with time for questions and discussion.

Who said that Government Tech has to be boring? In Norway the largest administration has been using Kubernetes for over 7 years! StatefulSets had just been introduced (alpha) and RBAC was still in beta. During this time we moved from quarterly releases to thousands of continuous releases each week across our fleet of cloud native applications!

Could we replicate the success we had at NAV for other agencies? Could we provide them with a fully managed platform as a service to let them focus on building new and innovative services for their users and not reinventing the wheel by building yet another platform?

In this session Audun and Hans Kristian will share their experience building and operating one of the largest platforms of its kind in Norway providing a fully fledged application development platform for more than a 100 product teams. And how they set an ambitious goal of being able to provide their platform as a service to other agencies.

What does it take to switch an entire public sector workspace to open source, including backend services and operating system? Backend services are deeply integrated with the IT architecture of the German public sector, making them challenging to replace. A recent feasibility study undertaken by the German Centre for Digital Sovereignty (ZenDiS) has investigated the legal, economic, and technical viability of replacing proprietary operating systems and backend services with open source alternatives in government agencies. Additionally, the study has explored the possibility of adopting an "ultramobile-first" strategy, where smartphones and tablets with OS operating systems, such as Android, are used as primary devices, and specialised applications are accessed through web browsers. The talk will discuss the findings of the study and the potential implications for the introduction of OS operating systems in the German public sector.

When driving on a highway, you have to follow the rules of the road—some apply to everyone, while others only apply to commercial drivers. Open source maintainers and software publishers face a similar divide regarding regulatory compliance.

While software manufacturers must meet extensive legal and security obligations, open source maintainers often assume these regulations do not apply directly to them—but do they? In this talk, we’ll separate fact from fiction by breaking down what rules like the EU Cyber Resilience Act require from maintainers versus software vendors.

We’ll explore the limited enforceable obligations for open source projects, including secure development policies and vulnerability reporting, and discuss when (if ever) these rules impact maintainers. By understanding these distinctions, open source contributors can make informed decisions about risk, responsibility, and collaboration with commercial software teams—without unnecessary compliance burdens.

Who maintains the software components everyone uses? Without open source libraries, protocols & tools, the world would grind to a halt. When it comes to sewers, roads & bridges, the government pays. For bits & bytes? There's a German phrase: digitale Daseinsvorsorge.

Who builds and maintains the sewers under our feet? The government! The same goes for the trains we ride and the roads we walk on. When we ask these questions about the basic components that underpin our world's digital infrastructure, the answer is very different. It's Daniel for curl, Piotr, Christian & Volkan for Log4j, a small team for Fortran, Sarah for Nominatim, Richard at Yocto and countless other maintainers.

At a time when software is eating the world, these foundations are terrifyingly precarious. We hope we're paying the right people to do the critical work of maintaining/securing these systems. Is it possible for governments & nations to help secure this public digital commons without running roughshod over the sprawling ecosystem of FOSS communities that created it?

As governments provide education, clean water and transport in the public interest, they can invest in digital services and open source.

In an era of geopolitical shifts, countries seek technological independence, with open source as a key strategy. While US/European developer density is well-known, their interconnections with China’s ecosystem remain under explored. This talk aims at providing an overview based on quantitative data of the evolution of the European and Chinese ecosystems. And give indicators of commonalities across both industries through potentially shared interests.

According to 2024 global open source data released by China's OpenAtom Foundation:

• Europe leads with 3M+ active developers (17.8% YoY growth), while China follows with 2.2M+ (24.05% growth).

• Europe dominates mature domains like OS (3.49M annual contributions) and front-end (9.59M), while China excels in emerging fields such as AI (+29.94% ) and semiconductors (+121.64%).

This is growing a non-exclusive and possibly complementary ecosystem of body of knowledge, tools, and processes where different parties can take advantage of.

This talk will share some thoughts on possible collaboration pathways including: technical synergies (trusted AI and compliance), policy alignments, and community coordination by lowering the barriers.

As open source grows in importance, more (semi)public organizations recognize its value. However, (semi)public organizations face unique challenges in adoption.

For organizations new to open source, developing a strategic approach and ensuring internal readiness can seem overwhelming. From engineering and technical teams to legal, finance, marketing, and executive leadership, aligning stakeholders on responsible and open source participation is critical—but not always straightforward. Many organizations address this by establishing an OSPO to create policies, provide training, and share best practices for open source adoption and contribution.

This panel brings together Open Source leaders from the Dutch (semi)public sector to discuss strategies for managing open source and fostering open source readiness. Panelists will share insights from their own open source journeys, offer practical guidance, and explore best practices for building open source engagement. The discussion will also highlight the role of open source in advancing Digital Sovereignty, ensuring organizations maintain control over their digital infrastructure while leveraging the power of open collaboration.

My story/message/ problem statement would be:

- A cultural change needs to take place. Instead of building software themselves, organizations should first explore the landscape (open standards/existing projects).

- However, not all OSS projects are yet findable in the public sector/with suppliers.

- Also, much metadata available in repositories is not platform-agnostic (thus embedded in Gitlab/Github)

- The agnostic standard that solves this: publiccode.yml. We need to apply this standard but also invest in it/contribute to it. Only then will it become more usable.

- "Infrastructure-as-code" projects within the government are increasingly available as open source. Organizations like Kadaster and Wigo4IT are about to open source this. To make the Dutch Digital Infrastructure more sovereign, it is crucial that these open source infrastructure components are also made findable.

- The publiccode.yml standard is already being used by FR/DE and Brussels, so it's logical to invest in this standard. We will have to make all our initiatives easily findable/searchable! The quality regarding metadata needs to improve.

Besides this i would like to emphasize that working OSS is just more fun.

As the world grows increasingly fragmented, Europe stands at a digital crossroads. The loss of digital independence threatens its cultural, intellectual, and economic values. Post-Brexit, freedom of movement has been constrained—now, Europe risks a similar fate in the digital realm. Dependence on proprietary, foreign technologies undermines Europe’s digital sovereignty and its ability to shape its future.

This talk explores why Europe must invest in open-source software to preserve its freedoms, diversity, and identity in an evolving digital ecosystem. Open-source is more than technology—it’s a path to autonomy, reduced corporate dependency, and dynamic local markets that drive innovation. As software reshapes our lives, open-source ensures Europe’s digital landscape remains as diverse as the continent itself.

We’ll examine how open-source can counter AI’s global, generic biases by fostering systems that reflect Europe’s rich cultural tapestry. By embracing open-source, Europe can protect its digital future and core freedoms of movement, trade, and expression that define its identity. What does Europe stand to lose if it fails to invest in open-source technologies?

OpenChain is the international standard for open source license compliance programs ; it has been created by a joined effort of the community. The OpenChain project has several work groups. The Telco work group was formed to create a recommendation for an SBOM format to be exchanged between telecommunication companies, their suppliers and customers.

The result is the "OpenChain Telco SBOM Guide" that describes what a quality SBOM should contain and how and when it should be distributed. It includes industry standard requirements like "NTIA SBOM Minimum elements" and PURL. Although developed by telcos, it is generic and can be used by other industries.

The OpenChain Telco SBOM Guide is used by Nokia as a basis for its SBOM format. The talk will discuss lessons learned from implementing the Guide at Nokia. Putting the Guide in practice has led the community to provide a minor release 1.1.

Nokia provided an open source tool to validate SBOMs against the Guide. It allows to recursively validate linked SBOMs. It is available under Apache-2.0 license.