Brief № 024 · Strategy
EU open source strategy: the SME test
The EU's June 2026 open source strategy gives SMEs a practical procurement test: less lock-in only matters when the software can be run.
On this page
Europe’s new open source strategy is easy to misread as a software preference. For SMEs, it is more useful as a procurement warning: a tool is not independent because the code is visible, it is independent when the business can still run it after the supplier changes terms.
On 3 June 2026, the Commission made open source one of four pillars in the Tech Sovereignty Package, alongside Chips Act 2.0, the Cloud and AI Development Act and the energy digitalisation roadmap. The official fact page frames open source around lower lock-in, inspectable code, reusable building blocks and more choice for public administrations, SMEs and start-ups.
The policy is about dependency
The Commission’s own numbers make the dependency argument plain. Europe has more than three million open source contributors, but still depends heavily on non-EU providers across software, cloud, AI and infrastructure. It also says Europe spends more than EUR 260 billion each year on digital technologies from third countries.
That does not mean an SME should rip out every proprietary tool. Most small firms do not have the staff to maintain mail servers, security tooling, ERP extensions or model infrastructure from source. The useful reading is narrower: when a workflow becomes strategic, the buyer should understand where it is locked in and what would be needed to leave.
| Procurement layer | Open source helps when | It does not help when |
|---|---|---|
| Application | The firm can export data and run the core workflow elsewhere | The hosted service hides the database and configuration |
| AI tooling | Prompts, evaluations and logs are portable across models | The workflow is trapped in one vendor’s interface |
| Cloud stack | Deployment scripts and dependencies are documented | No one owns patching, backups or incident response |
| Public-sector work | Standards and interoperability are part of the bid | ”Open” is used as branding without an operator |
Source: European Commission Open Source Strategy and Tech Sovereignty Package pages. Last verified 2026-06-22.
The exit file is the practical test
An SME does not need a philosophical position on open source before buying software. It needs an exit file.
That file can be short. It should name the licence, the data export path, the deployment instructions, the main dependencies, the security update route, the backups, the identity provider, the integration points and the person or supplier able to keep it running. If the software is proprietary, the same file should explain what the company can still export and what it cannot replace quickly.
Open source changes the answer, not the need for the question. A public repository without deployment notes is not a contingency plan. A community project without a maintenance budget is not operational resilience. A vendor using open source under the hood still needs to explain who patches it when a critical vulnerability lands.
AI makes the old question sharper
The strategy matters for AI because AI projects are rarely one product. A working system usually includes a model, prompts, retrieval data, connectors, logs, human review, evaluation examples and cloud capacity. The lock-in often sits between those layers.
If an SME wants to keep AI choices open, it should keep three artefacts outside the vendor’s black box:
- a small test set of real tasks and expected answers;
- an exportable record of inputs, outputs, reviewers and exceptions;
- deployment notes for the non-model parts of the workflow.
Those artefacts are boring. That is why they work. They let the company retest the workflow against a different model, move a knowledge base, or prove why a tool was used in a regulated process. Without them, open source becomes a slogan attached to a system the firm still cannot move.
Public procurement will set the tone
The Commission puts public administration at the centre of the strategy. It points to procurement guidelines, stronger internal use of open source, standardisation and international outreach. That matters beyond government because public buyers shape the language suppliers reuse for everyone else.
SMEs selling into public-sector or regulated markets should watch the procurement vocabulary. If tenders start asking for interoperability, data portability, source availability, standards alignment and maintenance governance, private buyers will copy the checklist. The same happened with security questionnaires and data-processing agreements.
The risk is that suppliers answer with labels. “Open source compatible” is not enough. “Sovereign-ready” is not enough. “Portable” is not enough. The buyer needs the boring nouns: repository, licence, export, runbook, owner, backup, patch window, incident contact.
Use open source as leverage, not theatre
The EU strategy gives SMEs a better argument in vendor conversations. It does not remove the work of operating software. A small firm can use open source to reduce lock-in, strengthen auditability and negotiate more credible exits, but only when it knows which part of the stack it can actually control.
The next procurement file should therefore add one page. If the supplier disappeared, changed price or lost access to a critical dependency, what still runs, what can be exported, and who knows how to restart it? That page is the difference between open source as leverage and open source as theatre.
Frequently asked questions
Does the EU Open Source Strategy force SMEs to buy open source?
No. The strategy is a policy direction, not a direct SME purchasing mandate. It does make open source more relevant in public procurement, standards and European digital sovereignty work.
Why does this matter for AI projects?
AI projects depend on cloud, data pipelines, model tooling and audit records. Open source can reduce lock-in only if the SME can keep those parts documented and operable.
What should SMEs ask vendors first?
Ask for the exit file: source availability, licence, deployment instructions, data export, dependency list, security update path and the person responsible for maintenance.
Sources
- Official Communication on European Tech Sovereignty, accompanied by an EU Open Source Strategy European Commission, Shaping Europe's digital future accessed
- Official EU Open Source Strategy European Commission, Shaping Europe's digital future accessed
- Official Commission boosts open and interoperable digital ecosystems for public administrations European Commission accessed
- Official Commission proposes tech sovereignty package to strengthen Europe's digital autonomy and resilience European Commission, Shaping Europe's digital future accessed
Image credit: Photo: HTML and JavaScript code - Martin Vorel, CC BY-SA 4.0 (Wikimedia Commons)
Iris Van Loon covers SME operational reality and advisors for Flint Brief.
Spotted an error or want a right of reply? hello@flintbrief.com (subject [Right of reply]).