Français

English

European Parliament — © 2026 Benjamin Jean, CC-By-SA 4.0

Regulation, sovereignty, competitiveness: evolving European regulation to embed Open Source and sovereignty

Available translation: Français

A few days after the Strasbourg Digital Encounters 2026, the reflections from the workshop “Using European regulation to boost economic competitiveness” continue to make their way -​- including a very concrete proposal: clarifying two blind spots in our internal market law, namely integrating a competitiveness logic into a doctrine designed around competition alone, and clarifying Open Source’s place in the notion of placing on the market.

As a reminder, the Strasbourg Digital Encounters took place on 15-17 April 2026 at the European Parliament, for their third edition co-organised by Numeum and Cigref. The chosen theme -​- “Digital transformations: from ambition to action” -​- structured two days of plenaries and ten thematic workshops.

Workshop 10, co-chaired by Véronique Lacour (EDF) and Sophie Batas (Dassault Systèmes) and facilitated by Vanessa Dewaele (Veolia), gave rise to numerous exchanges. As discussions unfolded, an idea took shape: regulation should be able to fully support the actions of private actors contributing to European sovereignty. The exchanges highlighted the need to ensure genuine convergence between the actions taken by the private sector on the one hand, and by the legislator on the other.

It was at the end of the workshop and during the trip back from Strasbourg that the idea took root of durably evolving the concepts handled during the workshop through soft law instruments such as the Commission’s Blue Guide. The objective is to give past and future work a converging direction on these sovereignty issues (which combine competition and competitiveness), so as to fully take into account the specifics of Open Source. Open Source itself is an essential source of innovation for regaining our sovereignty. As both an interpretive tool for existing texts and an instrument of harmonisation for those to come, Open Source offers the most pragmatic vehicle for two useful clarifications, without ruling out, in parallel, more structuring legislative vehicles.

The workshop’s diagnosis: regulation to build trust and strengthen competitiveness

The diagnosis shared by the participants boils down to three frictions:

  • Legislation is perceived as deviating from its initial intent over the course of co-legislation, and even at the time of national transposition (cf. our article on the articulation of European texts regarding AI);
  • Compliance investment that struggles to translate into innovation gains (and potentially creates a disparity between SMEs not equipped for it and large corporations for whom it is business as usual);
  • The persistent fragmentation of 27 national regimes, which dilutes the effect of an internal market that is nonetheless central to the European project.

Two priority areas were identified: Digital Trust (in particular around the revision of the EUCS scheme) and Industrial Strategy & Competitiveness (around the Data Management Act, the Data Act and public procurement).

Beyond that, a transversal observation emerged: Europe fully plays its role in protecting consumers and citizens but struggles to integrate the interests of European economic actors with the same finesse. The two logics, however, are not antagonistic. They combine as soon as one accepts to think of regulation as a vector of competitiveness, on a par with being a tool of protection. That was indeed the whole point of our workshop, which translated into two sets of recommendations:

  • A unified, multi-layered European sovereignty framework, horizontal in nature, anchored in the revision of the Cybersecurity Act and in the future Cloud and AI Development Act (CADA), expected to be proposed in the first quarter of 2026, covering cloud, software, AI and the supply chain (including semiconductors). Expected characteristics: scalable levels, business-centricity, applicability to micro-enterprises and SMEs, protection against extraterritoriality, stability over time, with an avowed preference for a regulation (rather than a directive, to avoid re-fragmentation in 27 transpositions).
  • A European industrial strategy for digital sovereignty. It rests on two pillars: 1) a European preference in public procurement, explicitly enshrined in the CADA along the lines of the Buy American Act, with operational sovereignty criteria (data location, applicable jurisdiction, IP ownership and licences (and IP governance), protection against extraterritoriality and export control regulations); and 2) a European digital sovereign fund open to citizens’ savings.

Together with a legislative fast-track for “critical digital topics”, these subjects are already on the Commission’s radar. The challenge is therefore not to push them onto the agenda but to ensure that the encounter between these texts under preparation and European economic interests takes place as far upstream as possible, and as harmoniously as possible (and therefore beyond the regulations under preparation alone).

Of note:

  • Regarding the perimeter of sovereignty, consensus was quickly reached on extending the scope of data to the entire supply chain. The question is just as important for the cloud as it is for the circulation of sovereign products. It is becoming increasingly acute for connected objects (IoT), industrial embedded systems, and more broadly the critical software components of the supply chain.
  • The exchanges reaffirmed the need to adapt current regulation in order to recognise the specifics of the digital distribution of software, and in particular the dynamics specific to Open Source. The criticisms made together with CNLL in the CRA Compliance Guide for Open Source Communities are precisely that the current doctrine of placing on the market was designed for tangible products circulating through identifiable distribution channels, and that it poorly describes the distribution arrangements of free and open source software (notably the publication on a forge with a simple offer to contract).

Embedding and evolving these concepts within European regulation

Several European texts give shape to the concepts that interested us, and are therefore so many vehicles for translating the desired evolutions:

  • The Decision of 9 July 2008 (which constitutes the reference framework of the New Legislative Framework, politically binding the Parliament, the Council and the Commission);
  • Regulations (EC) No 765/2008 and (EU) 2019/1020 on market surveillance, and the various sectoral texts (CRA, AIA, PLD, to name only those);
  • The Blue Guide 2022/C 247/01 as the Commission’s interpretive communication explaining how the NLF should be applied and harmonising the reading of sectoral texts by national authorities -​- it is, in a sense, the bedside book for anyone seeking to articulate the various texts;
  • The Digital Omnibus which aims to simplify the application of the various instruments (currently relatively criticised);
  • The much-anticipated Cloud and AI Development Act (CADA), which should be able, together with the European Open Source strategy, to orient European strategy in a logic that combines sovereignty and the building of a trusted software supply chain (notably through Open Source).

Several initiatives can be mobilised, depending on the context:

  • The Digital Omnibus to lay down a harmonised definition of “commercial activity” and of commercial Open Source common to the CRA, AIA and PLD.

Even though this text keeps making us wait, it would be the instrument of choice to harmonise the concepts mobilised across the various European regulations.

Indeed, every recent sectoral text has built its own Open Source exception, with its own definitions, thresholds and grey areas (see in particular the post on the articulation of regulations). Operational criteria for commercial activity could be developed, fine-grained enough to reflect real-world models: thresholds, forms of economic engagement, contributor/maintainer relationships, open core models, dual licensing, stewardship, sponsorship, associated services. Then a typology of roles (individual developer, occasional contributor, maintainer, Open Source Software Steward in the sense of Article 24 of the CRA, Open Source vendor, integrator), aligned with the terminology of the sectoral regulations. And finally a common definition of commercial open source, which could serve as a cross-cutting reference for the entire NLF, from the CRA to the AIA via the PLD.

  • The CADA to integrate operational sovereignty criteria that treat Open Source as a natural vector of resilience -​- particularly against extraterritoriality -​- and to bring into public debate the concrete translation of a Buy European that is legally sustainable in light of Article 18 TFEU and GPA commitments.

The Draghi report submitted to the Commission on 9 September 2024 put words to European digital dependence: roughly 80% of digital products and services used in Europe come from foreign actors. The report calls for a coordinated industrial policy and forms of targeted European preference, breaking with pure competitive neutrality. The CADA is intended to implement a number of these recommendations. Both the sovereignty concerns (in a cloud providers approach) and all the considerations relating to the supply chain could be introduced -​- it being understood that the autonomy of these actors will only be real if the underlying technical infrastructure is open and interoperable (and managed in an open and shared way).

European competition law (Articles 101 to 109 TFEU) structures an open and competitive internal market that is, however, neutral as to the origin of actors. This principle, consistent with the single market project, is at growing odds with the practices of other major blocs. The United States have, since 1933, built an entire toolkit of national preference instruments, recently complemented by the CHIPS and Science Act (2022) and the support mechanisms of the Inflation Reduction Act (2022). China articulates an avowed industrial policy around Made in China 2025 and its import substitution mechanisms.

  • The revision of the Blue Guide to host the missing transversal doctrine: typology of Open Source roles, operational criteria of commercial activity, reading of the digital “European product”, and treatment of dependencies and the supply chain.

The Blue Guide being an interpretive communication of the Commission, its revision does not require an ordinary legislative procedure and can take place within much shorter timeframes than a regulation or directive. Its adaptation would make it possible to recognise the specifics of the digital distribution of software, and in particular the dynamics specific to Open Source. The criticisms made together with CNLL in the CRA Compliance Guide for Open Source Communities are precisely that the current doctrine of placing on the market was designed for tangible products circulating through identifiable distribution channels, and that it poorly describes the distribution arrangements of free and open source software (notably publication on a forge with a simple offer to contract).

Either Open Source publication is not, in itself, a placing on the market -​- in which case the recent sectoral exceptions are largely redundant and their complexity is unnecessary. Or it is, as soon as it fits within a commercial activity -​- in which case a choice must be made: applying the common rule to all commercial Open Source (which the sectoral regulations effectively do, at the cost of the fragmentation described above), or recognising for certain forms of commercial Open Source a particular status justified by reasons of public interest and ecosystem sustainability.

  • In the longer term, the question of a targeted revision of Decision 768/2008 to integrate a digital component, or of a horizontal framework act dedicated to digital placing on the market, could be carried in the doctrine (in a binding manner, unlike the Blue Guide, which falls within soft law).

For example, Decision 768/2008 defines making available as any supply of a product intended for distribution, consumption or use on the Union market in the context of a commercial activity, whether against payment or free of charge. The decisive criterion is indeed commercial activity (which is broader than gratuity); however, no example allows this concept to be projected directly onto Open Source communities and projects.

This is perhaps also where the question of dedicated support for Open Source actors could be raised, given the real contribution made to an open digital infrastructure. This would potentially make it possible to provide for incentive or support regimes, in the same way as the derogatory statuses of the social and solidarity economy are conditioned on specific governance and lucrativity criteria. All the more so as Open Source plays a particular role here in the search for sovereignty: the technical and legal freedom enshrined by Open Source software allows an alternative supply chain to be rebuilt if access to the initial building block is cut off (a sort of legal insurance against extraterritoriality).

Going further

Protecting European actors against extraterritoriality (EAR, OFAC and export controls)

The question of extraterritoriality is directly linked to that of digital sovereignty. The American Export Administration Regulations (EAR) and the sanctions managed by the Office of Foreign Assets Control (OFAC) apply to any software component or technology as soon as it contains US-origin technology, wherever it may be on the planet. A European vendor that integrates a US cryptography library, an integrator that deploys a cloud service on infrastructure provided by an actor subject to those regulations, an Open Source community that hosts its repository on a US forge: all fall, to varying degrees, within the material scope of extraterritorial laws (with the example of GitHub in July 2019, which restricted access to the private accounts of users located in Iran, Syria and Crimea -​- including European developers travelling in those areas).

This perspective feeds into our reflection: an operational doctrine of the “European product” only makes sense if it includes, among its criteria, resistance to unilateral foreign measures -​- that is, the ability for a European actor to continue its activity without being constrained by an export-authorisation regime or a sanctions regime outside Union law (with, in this scenario, the guarantee of being protected by European law).

Extending these sovereignty issues into other European regulations

We must ensure that any European preference is consistent with the principles of non-discrimination (Article 18 TFEU) and with the Union’s commitments under the WTO Agreement on Government Procurement (GPA). This can -​- as in the IPI Regulation (International Procurement Instrument) -​- rest on the introduction of reciprocity towards third countries (which themselves have defined their own sovereignty criteria), by setting objectively justified European criteria (security, resilience, data protection, etc.).

This article is a reflection piece, posted freely by a member of the team so that these reflections are not locked away on LinkedIn.

Author

Benjamin JEAN

Related resources

inno3 contributions to the EU Commission OS consultation

Article

Inno³’s contributions to the European Commission on the strategy for an open digital ecosystem
Articulation of export control regulations (FR/EU/USA/CH)

Article

Open and controlled: Open Source put to the test by export control in 2026
Remix de blotter_explosion Date 27 July 2006 Source Flickr Author Señor Codo licence CC BY SA

Article

Open Source and AI: Three European Regulations, Three Logics, One Ecosystem

Related articles

Articulation of export control regulations (FR/EU/USA/CH)

Article

Open and controlled: Open Source put to the test by export control in 2026