Open Source Software: a path to sovereignty in the public sector

Open Source Software (OSS) has long been a cornerstone in the private sector, offering benefits like transparency, flexibility and cost-effectiveness. However, its adoption in public administration has been slow. Recently, the Austrian Parliament passed a resolution to explore the use of OSS, reducing dependency on large software companies. This move follows a similar trend to Germany with projects like Open CoDE and Open SUSE. But what exactly is OSS and why should the public sector consider it?

What is OSS?

The term “open source” originated from the concept of free software, introduced by Richard Stallman. The term “free” led to confusion with “free of charge”, so the community adopted “open source” in the 1990s. OSS is defined by several key features:

• free and unlimited redistribution
• availability of source code
• permission for modification and redistribution under the same licence
• no restrictions on usage or distribution with other software.

OSS operates under a licence, similar to proprietary software, granting extensive rights to use the Software as long as licence conditions are met.

Why use Open Source in the Public Sector?

While cost-effectiveness is often cited, other advantages are equally compelling, especially for public authorities:

• Reduced dependency: OSS minimises reliance on large providers, which may lack transparency and customisability.
• Transparency and security: a large community behind an OSS project can quickly identify and fix code errors, enhancing security.
• Flexibility: OSS offers greater adaptability and integration with other systems, often at a lower cost than commercial software.

Legal considerations in adopting Open Source for the public sector

When public authorities opt for OSS, they must navigate a complex legal landscape. This includes competition laws, which can be triggered if the adoption of OSS unfairly impacts the competitive balance between private providers.

Furthermore, in the European context, the EU Court of Justice  has established guidelines for exempting “quasi-in-house” awards under EU procurement Laws. These are contracts awarded to entities different from the contracting authority but under two specific conditions:

• Control Requirement: the contracting authority must exercise the same level of control over the contractor as it does over its own departments.
• Activity Requirement: the contractor must primarily perform activities for the contracting authorities that hold its shares.

These guidelines were codified in the EU Procurement Directive 2014/24/EU, providing a legal framework for public authorities to follow when considering OSS.

Organisational considerations in adopting OSS for the public sector

The adoption of OSS in public administration requires a shift in perspective. Unlike traditional software procurement, where the government acts as a contractor, OSS adoption is more akin to gardening: nurturing and fostering a community around the software.

• Community health: a thriving OSS community is crucial for the software’s long-term viability. Governments should aim to contribute to this community, not just consume its benefits.
• Investment: while OSS is often free to use it’s not free to maintain. Public bodies must invest in regular updates, security measures and perhaps even contribute to the software’s development.
• Security standards: public authorities have unique security requirements that must be met. This could involve rigorous vetting of the OSS and its community, or even the development of specialised, secure versions for public sector use.

Training, guidelines and security policies

The integration of OSS in the public sector requires a comprehensive approach that encompasses not only the selection and implementation of software, but also the training of personnel and the establishment of security protocols.

Guidelines for the selection and use of OSS

Before delving into training and security, it's important to establish guidelines for the selection and use of OSS. These policies serve as the foundation for all subsequent actions and should define the underlying processes that ensure the secure and compliant use of the software within the administration. Selection criteria should define what makes an OSS suitable for specific tasks or projects and usage guidelines should outline the procedures for installing, updating and maintaining the software.

OSS training for developers and maintainers

Training is a critical aspect of ensuring that OSS is used effectively and securely. Specific training programmes should be developed for developers and maintainers who contribute to OSS projects. Training should focus on:

• Legally sound contributions: educating developers about the legal implications of their contributions to ensure that they comply with licences and other regulations.
• Developer guidelines: a comprehensive set of guidelines that answer key questions such as what code can be included, how to tag the code, what changes are allowed and what licences must be included.

Code security

Security is often a major concern when integrating OSS in public administration. A well-defined code security policy should be in place to address this covering:

• Security certifications: understand the types of security certifications applicable to your OSS and strive to achieve them.
• Security audits: conduct regular security audits to identify and remediate vulnerabilities.

Requirements management

Effective requirements management is essential to ensure that only certified software is used in sensitive environments. The management system should specify:

• Authorisation: who is authorised to certify software?
• Certification locations: where must software be certified?
• Certification process: how should the certification process be carried out?

Public sector adoption of OSS is a complex issue

The adoption of OSS in public administration across Austria, Germany and other EU countries is gaining momentum. It offers a path to greater sovereignty, especially in times of economic and geopolitical uncertainty.

But, as illustrated by developments in Germany, the process is not straightforward. In its coalition agreement, the current coalition government agreed that public IT projects would require open standards, and that software developed on behalf of the State would generally be open source. At the time of writing, not much has materialised on the issue. While the German states and their municipalities are independent of the federal institutions, the vast majority of administrative activities take place there. Accordingly, most public contracts are awarded there and the Federal Government has little power to force these actors to adhere to its political priorities. On the other hand, a reform of the federal procurement law - which could, among other things, include the primacy of OSS - is still under discussion. The discussion has not yet resulted in a draft law and if and when it is published, it may not cover public sector OSS at all. The National data strategy of the Federal Government, published in August 2023, only mentions OSS in a business context.

The adoption of OSS in the public sector is a multi-faceted endeavour that goes beyond the mere selection of software. It involves extensive developer training, strict software usage policies and robust security protocols. By paying close attention to these aspects, public administrations can ensure the smooth and secure integration of OSS into their operations. This complexity may, however, be one of the reasons why full public sector adoption of OSS has not yet happened.