Request for Comments for the European Open Digital Ecosystem Strategy

Dear OSM Community,
We recently received an email at the OSM Foundation inviting us to answer on behalf of the OSM project, in the open request for Comments for the European Open Digital Ecosystem Strategy, set up by the European Commission.

The questions to be answered, as seen in the call for evidence file, are:

1. What are the strengths and weaknesses of the EU open-source sector? What are the main barriers that hamper
   (i) adoption and maintenance of high-quality and secure open source; and (ii) sustainable contributions to open-source communities?
2. What is the added value of open source for the public and private sectors? Please provide concrete examples, including the factors (such as cost, risk, lock-in, security, innovation, among others) that are most important to assess the added value.
3. What concrete measures and actions may be taken at EU level to support the development and growth of the EU open-source sector and contribute to the EU’s technological sovereignty and cybersecurity agenda?
4. What technology areas should be prioritised and why?
5. In what sectors could an increased use of open source lead to increased competitiveness and cyber resilience?

We would like to read your comments over the next couple of weeks, and we invite the overall OSM community to give their feedback on this thread. We will then compile the feedback and share it with the European Commission.

Thanks in advance,
Héctor
on behalf of the board and the EWG

As a reminder, while the OSMF is registered in the United Kingdom, we have been planning to relocate the organization to the EU for a while.

Sorry to start with a contribution on weaknesses, but obviously I would not be here if I did not think that strengths vastly dominate weaknesses. Still, I’d say that most weaknesses gravitate around what some scientists name “design power” and that is easier to concentrate when the density of capital is higher (e.g. in startups and private/public labs):

• the ability to design UIs
• the ability to design conceptual models
• and more generally the ability to smoothly innovate once good enough solutions have emerged.
  Hiccups such as observed in the history of Maps.me / OrganicMaps / Comaps illustrate this, in my view: it is tempting to switch to a less community-driven mode to solve some issues, but then the benefits of community-driven governance erode.

Foster collaborations between academics who study the above phenomena (e.g Bauhaus for Transitions – Managing the Unknown Design-Oriented Management Science) and open-source communities.

“false flag” digital commons, where the public is asked to contribute time or personal data under false pretences of community-driven work, and they find out that the created database belongs to private interests. Disappointment ensues, and probably also the future ability to trust real digital commons projects.

Calls for public data contributions should be regulated similarly to public solicitation of funds so as to maintain trust.

Europe stands strong in technical quality, open standards, public sector alignment, and relevant & community-governed infrastructure software that supports our digital sovereignty and avoids vendor lock-in.

We struggle with fragmented initiatives, risk-averse procurement, and chronic underfunding of maintenance and security. Grants cover feature development, but not underlying maintenance.
This leaves many critical projects on a small number, usually not more than one, part time maintainer.

(i) Adoption and maintenance are hampered by the funding bias towards market-ready features over invisible security or structural refactoring work. This leaves critical infrastructure vulnerable.
(ii) Sustainable contributions to the high-performance rendering space are hampered by an inherent high complexity, leaving casual volunteers out or the one (maybe two) maintainer(s) capable of doing the work to burnout.

Underlying both issues is the widespread free-rider dynamic, where everyone is using it but only a few are paying. With the current shift in the private sector towards focusing solely on ROI, this situation will deteriorate in the next few years.

For the public sector, MapLibre provides essential digital sovereignty and cost control, allowing agencies such as the Cartogràfic i Geològic de Catalunya (ICGC) or Landesamt für Digitalisierung, Breitband und Vermessung to provide critical infrastructure without the risks that a commercial solution would have.
In the private sector, major corporations like AWS and Meta leverage MapLibre to commoditize the map rendering layer, avoiding competitor licensing fees while enabling nimble startups like Felt to pursue permissionless innovation on a flexible, open architecture.

Ultimately, the added value is best assessed by the strategic exit option of the Fork button weighed against the operational costs of maintenance.

Establishing an EU Sovereign Tech Fund! Dedicated to financing the essential but currently unpaid maintenance and security audits of our common, digital public goods like MapLibre.
This would shift the landscape from “innovation grants” to long term resilience.
This direct investment fixes the market failure of the “free as in beer” open-source sentiment.
Examples are refactoring a complex C++ rendering engine into a memory safe language for added security or just being able to fund a security audit (which the vast majority of OSS projects cannot do financially).
If this does not happen, the market will further sour, and more OSS projects will have to seek different sources of funding - usually not so well aligned with the public good, but rather making ends meet.

The EU should prioritize the transition of critical open-source infrastructure toward memory safety, specifically funding the modernization of legacy C++ codebases to eliminate systematic issues like buffer overflows and undefined behavior to newer langues like Rust, Swift or Go.

For foundational projects like MapLibre, which process untrusted data on millions of devices, rewriting core components in memory-safe languages (like Rust) is a massive but necessary undertaking to ensure resilience against modern cyber threats. Prioritizing this area moves the ecosystem from a reactive posture of “patching bugs” to a proactive posture of “secure-by-design” architecture, directly supporting the goals of the Cyber Resilience Act.

The market will not prioritise this because currently the cost of a cyberattack is still perceived as lower. With the advent of the next class of advanced persistent threat, a false friend.
The market is also currently not funding the demands that the CRA sets.

In automotive and logistics, European carmakers (VW, BMW) are currently buying into US firms like Mapbox, Google, or Apple.
A more competitive MapLibre would allow these firms to skip paying per-user licensing fees, directly boosting cost and innovation competitiveness.

In emergency response and defense, we must recognize that Europe is no longer a backwater but is facing active threats - be they pandemics, climate disasters, or armed conflicts…
We need to do better than we have done in the past decades with better-functioning, fully offline capable maps that survive where a coordinated cyberattack would have brought centralized services to their knees.

The only way to achieve this is by investing in open source directly, rather than relying solely on the regulatory pressure of the Cyber Resilience Act.

Who’s the our in, In our opinion..?

I removed it

Based on A post-American, enshittification-resistant internet I think Europe should repeal Article 6 of the Copyright Directive so:

• People and companies can reverse-engineer devices so that the can run OSM maps instead of proprietary maps
  * Google can no longer force App’s to use Google Maps

That is an OSM specific advantages of this, I see many, many more, quoting from the article:

Legalizing jailbreaking, raiding the highest margin lines of business of the most profitable companies in America is a much better response to the Trump tariffs than retaliatory tariffs

I would also like to see that government require that the chosen vendor can not be forced by any other governments to provide access to government data. That automatically rules out everyone hosting on Google, Microsoft or Amazon or any Chinese owned cloud.

On:

A weakness is that there is no Euro cloud providers or Eurostack, these are American or Chinese only.

It is not easy:

Google doesn’t force apps to use google maps it is just substantially more convenient to do so.

So; as I have been canceled for stating my opinion under violation on my freedom to speech I will press charges Given, this will not likely lead to anything watching the nepotism in place.

Anywho.
A slim version on my ideas.

EU Open Source: The Real Deal (TL;DR)

Europe’s OSS scene: 86% adoption but only 22% have strategy.
Germany/Nordics solid, Italy policy without people. Procurement rigged for proprietary. Companies consume, don’t contribute—extractive.

Fixes: “Open Source First” procurement default.
Scale Sovereign Tech Fund.
Mandate corporate upstream funding.

Value: Lower TCO, no lock-in, CLOUD Act resistance.
Security if funded. Global commons, not “European control” (that’s Eurocentrism).

Priorities: Cloud/edge (40%), healthcare (25%), energy (25%). Public admin gets interoperable stack.

Governance truth: Vienna participation model good, but needs real power transfer, not theatre. Include Global South or repeat proprietary power dynamics.

Regulatory win: CRA/AI Act favor OSS—volunteers exempt, integrators responsible.

Sovereignty ≠ control. Commons need distributed governance.
Europe leads by ceding power strategically.

PN me for the full statement - as its figuratively improper to post it under the eyes of big brother

If you squander your freedom of speech by “speaking” things that a machine has generated for you, then maybe it’s the machine that should complain, not you. (I am on the email interface and have therefore had the opportunity to frown at your first attempt.)

You have not been “canceled”, you have just been asked to respect the community by not throwing AI-generated rubbish at them.

and it is on you to decide (obviously) what is rubbish and what not?

Remind me - how have you typed out this message again?
If not by your mind through a computer interface, right?

With all due respect, the so called guidelines for bot-generated content are a gray area people use to prosecute others on their feelings of justice.
Which is okay, under certain circumstances.
That we can agree on, no?

Can you try again? I’ve read the words here several times but communication of what you actually meant eludes me.

What do the percentages actually refer to? What does “still strong” mean?

(to be clear, this is not a statement about the way that you wrote it, but what was the end result)

I may try later on better terms. This sure revealed a lot to me. Thank you.

This is my draft reply for the inquiry of the European Union. While I’m symptathetic if people deem this kind of politics boring, these kind of politics inform laws and taxpayer budgets that in the end can make life for OpenStreetMap anything from very easy to very hard. We should at least attempt to routinely give some input, even if the Foundation has neither the will nor the means to run a ful scale lobbying operation.

I’m in particular grateful for suggestions where to prune or simplify the text to make it more impactful.

In a nutshell:

• We want to nudge the EU towards a European STF, as the STF impact on OpenStreetMap and elsewhere is highly positive
• We want to get people used to the idea that always a fraction of spending on The Hot Shit is towards The Boring Infrastructure that is silently but actually mission critical for the former
• The strength of open source (and OSM) is the credible long term maintainability, the real weakness the lack of long term funding
• The hidden strength of open source is that it draws in much more competent people

1. What are the strengths and weaknesses of the EU open-source sector? What are the main barriers that hamper

(i) adoption and maintenance of high-quality and secure open source; and (ii) sustainable contributions to
open-source communities?

Europe is and always has been highly connected both internally and to the rest of the world. This reinforces the benefits of Open Source and subsequently of the sector in Europe. Also, the social model of many educated people having available time beside their day jobs means that there is a broad latent pool of developers (notwithstanding that there are also many full time Open Source developers).

(i) For many areas of software there is a vendor lock-in in place. This is in particular true given that many people rather get educated rather to become users of incumbent software than to understand how software is made.

Secondly, many IT departments are substantially underfunded, along with the organisations they support, and expectations about appropriate salaries skewed. As a result, there is a risk that artifacts from underfunding are misperceived as shortcomings of newly introduced Open Source components.

It is understood that in some cases it may work the other way around. There are instances where the adoption of OpenStreetMap had a fast enough effect on cost savings or enabling work at all within the available budget because efficiency gains materalize fast enough. This usually happens where a rather competent staff can take advantage of a relatively simple software stack, but this is the exception.

(ii) Many projects have a general uncertaintly about their funding and have a rather short funding horizon. In the OpenStreetMap ecosystem, few projects have a secured funding beyond a year or so, and elsewhere it might be even shorter. This is even true despite it being used for infrastructure with decades of lifetime.

More sources of funding over a longer horizon of time will help developers to more clearly highlight longterm downstream use from otherwise more tentative applications.

2. What is the added value of open source for the public and private sectors? Please provide concrete examples,

including the factors (such as cost, risk, lock-in, security, innovation, among others) that are most important to
assess the added value.

Interoperability

The Metropolregion Ruhr has used OpenStreetMap data to create an end user map: it enabled them to use the accurate information what is on the ground independent of department friction or policy side-effects. The mission critical advantage is that OpenStreetMap is a neutral platform, opposed to many partial data sources that are incompatible to each other. Some transit agencies have modeled station data there or use POI information from there for again being an unhampered and comprehensive source.

For the same reason, some fire brigades and some government agencies have at time used OpenStreetMap data as a fairly neutral source to reality check outdated or incomplete data they got from responsible utility companies or other sources. We do not have a citable source for this.

The Deutsche Bahn has started to share the availability of their elevators in real time. This has in combination with OpenStreetMap data not only enabled access-free routing. It also attracted people to reflect about the data, to uncover patterns, and to build public trust in the infrastructure.

New Applications

Most bicycle navigation systems and virtually all pedestrian navigation systems are based on OpenStreetMap data.

While there is hardly a business model to collect and maintain the full grid of ways for bicycles and pedestrians, there is a strong interest from actual users of these ways to keep them mapped. As a result, the openness of the platform is mission critical to bring enough mappers to work on one coherent set of data and trust it to exist long-term.

Both navigation modes also profit from a lot of actual Open Source software development. The challenges to get directions for these modes of transit right a different from car navigation. The presence of a huge and accurate data set has been vital to supply the software development with samples what does exist and what does not.

All open source navigation systems are in heavy use in Europe, and many of them are maintained in Europe.

It is reasonable to believe that a substantial part of the modal shift from cars to bicycles is due to the availability of practial navigation tools. I.e. the open source stack has a positive environmental impact here.

Visibility and Enabling

The city of Düsseldorf runs a huge fleet of gas lighting since more than a century. This has only been perceived as the actual valuable heritage that it is after activists have created a map of their positioning and shared that with the local newspapers. The project has only been in reach of few individuals because a stack of open source software around OpenStreetMap exists and the lamps have been recorded in OpenStreetMap.

I.e. there has been the real world effect of turning the gas lighting into actual heritage.

A less spectacular but even more impactful effect is that OpenStreetMap data is mission critial to geolocate photos. Geolocation tools like the ones of Bellingcat or Deutsche Welle rely on the possibility to have higly flexible search options on the geodata, which is only possible by an open source software stack operating on fully open data.

3. What concrete measures and actions may be taken at EU level to support the development and growth of the

EU open-source sector and contribute to the EU’s technological sovereignty and cybersecurity agenda?

The main challenge of Open Source is to have a sustainable business model amid the ever present opportunity to free-ride. The actual added value comes from the provided souvereignity, from attracting more competent people, and long term maintainability, in particular independent from the original vendor. None of this is usually visible already on a quarterly bottom line.

The EU shall ensure that tenders for public procurement are friedly towards Open Source. The longer the term of the procurement, the more important.
The strongest asset of Open Source is that the purchaser saves the right to copy and modify the code and let repair or rebuild the system or parts thereof at any later time by any company of the purchasers choosing, with no additional fee.
Procurement shall include such clauses.

A strong antipattern is if laws award to a company a de facto monopoly.

4. What technology areas should be prioritised and why?

Open Source shows its strengs towards long term support and towards making contributions easier for any competent party.
This results in a high benefit-effort-ratio in the context of infrastruture. The longer a system is supposed to exist, the more benefit comes from the fact that it can be maintained by a broad set of people.

In addition, more grounded systems with the simplest possible interfaces have lower barriers of entry. By a lower number of dependencies they also have a longer useful lifetime.

Typical examples of nearly universal usage are web servers and browsers, databases, in particular classical relational databases, operating systems and runtime envoirments on top of them. But also web projects that preserve the knowledge of the world (where OpenStreetMap does humbly see itself along WikiMedia and others).

By contrast, the technology of the day (AI, Cryptocurrency, Quantum Computing) is usually exploited by a whole flock of venture capital start-ups that are designed to attract and burn money and burn attention for that purpose as well. This is usually a poor use of taxpayer money, although it is understood that there is political momentum in each case.

The German STF has proven to pick a decent choice of infrastructure projects.
Thus a simple but very effective approach can be to

• create an STF on the full Europrean level in coordination with the German STF
• hand over one Euro to them for every ten Euro of investment made elsewhere for IT technology of the day, i.e. a fixed small ratio to emphasize the efficency advantage that thits approach has

5. In what sectors could an increased use of open source lead to increased competitiveness and cyber resilience?

Simply said, everyhwere. Almost no piece of software is simple enough to be proven harmless.

A hidden kill switch on defense equipment is an obvious risk, but a hidden kill switch on electrical equipment or many public service vehicles can be devastative, too. This goes all the way to social media where a bias in censoring or hiding content is an obvious device of manipulating public opinion.

The more grounded example of that only a common data format of open data made a map available to everybody from first responders to market authorities to simply an ecosystem of service providers has already been given.

I like the general reply, agreed this is the kind of boring politics but these kind of things can have a large impact.

The document shows that but I think two more things are needed on this:

• Briefly explain what is an STF, I had to ask the web.
• Briefly describe the positive impacts you see as concrete as possible.

It’s not really any of my business, but I would note that all the postings up to now don’t really have any particular EU specific angle, and boil down to the old “give us more money” (or more tongue in cheek: I don’t want to work a regular job and now you should pay me for what is my life style choice) common to OSS aficionados globally.

However if the EU really wants independence from US big tech then funding OSS devs is not solving the problem, essentially all the infrastructure OSS relies on is in US hands, over nearly every public collaborative source code management systems, to all relevant binary artifact repositories. Not to mention control of such minor pieces of the ecosystem like Linux.

All of that could vanish with one executive order, think about -that-.

some important projects have outright no funding

I think you got that the wrong way around. Truth is, all of that US infrastructure that they have been so successfully advertising as indispensable heavily relies on OSS software created and maintained to a good part by European volunteer OSS developers. They’d be in a hell of a lot of trouble if all those maintainers went on strike suddenly, especially now that management has decided to replace their workforce with AI. The EU would certainly do well to recognize that valuable resource that has been quietly toiling on in their area of influence.

It would be a grave mistake to develop a digital strategy that basically aims at making a copy of the US-provided infrastructure in order to gain independence. It’s impossible to do so because we don’t have the mindset for it and I suspect (or hope) we don’t want to develop one either. The EU has something better: a strong OSS community that has a lot of knowledge on how to build up a digital infrastructure on a shoestring budget in an extremely efficient way and with goals like privacy, equity and democratic process in mind. So, yes, supporting those pesky people who apparently can’t hold a real job, would actually further strengthen a competitive advantage that is already there.

The tricky part here is to how to actually make use of this OSS resource we have. One possibility would be to take a step back and think about what problems your digital strategy is actually trying to solve. Right now, digitalisation is often defined as “going to the cloud” and “introducing AI”. That’s just two possible tools in a large toolbox that modern technology offers. And they are not necessarily the best ones when it comes to problems like “making bureaucratic processes more efficient”. On the contrary they have the tendency to introduce an endless stream of levels of indirections and additional cost (which, to be fair, is not the fault of the technology but of those who sell it).

The OSS community is (somewhat by design) not very good at communication, business or politics. They are good at technology. The EU would do well to recognise that and supply the infrastructure that supports the OSS community where it is weak. Basically all of the questions in this RfC have the underlying assumption that OSS needs to be compared to a business. I think that is wrong. Think of OSS as a field of science. Support maintainers in the same way you would support researchers and expect results as you expect them from universities. Which mainly means: make sure they can pay rent but let them otherwise do their thing and compete among each other. Make further sure that the transfer of results into the commercial world works as smoothly as possible for both sides.

Both things can be true at the same time.

A strike of European OSS maintainers doesn’t seem to be a credible threat for many reasons, on the other hand we have had and continue to have concrete examples of US owned infrastructure being used to further political goals (some we might even agree with).

Those are your words, not mine. Not wanting conventional employment is a time honoured thing that can work in many ways, but you don’t get any guarantees that it can actually sustain you and you need to fend for yourself.

PS: I’m not quite sure how serious you were when suggesting that the hell hole of the academic rat race should be the model for open source development, but it is a very amusing thought.