Linux Foundation Europe’s response to the European Commission’s public consultation: European Open Digital Ecosystems Strategy

Written by Paula Grzegorzewska | Jun 10, 2026 3:58:08 PM

The following is the content of the Linux Foundation Europe's submission to the European Commission's public consultation on Open Digital Ecosystems. It provided input towards the EU Tech Sovereignty Package and Open Source Strategy published on 3 June 2026. You can access our contribution on the Commission's website here.

Linux Foundation Europe welcomes the opportunity to contribute to the public consultation on the European Open Digital Ecosystems Strategy. As the European chapter of the Linux Foundation, we represent the largest global collaboration on open technologies, including essential open source software projects like Linux, OpenStack, Kubernetes, PyTorch, MCP, open hardware projects like RISC-V, open standards development initiatives like SPDX and C2PA and open data initiatives like Overture Maps. We support the Commission’s ambition to strengthen Europe’s open source ecosystem and urge sustained, long-term commitment and concrete mechanisms that will help achieve these goals.

Key points

Open source is a basis of successful business ventures and widely used throughout industries. Most modern software is based on open source, whether proprietary or not. Open source should be understood as a diverse ecosystem that includes multiple governance, sustainability, and commercial models and is a backbone of a significant share of the economy. Linux Foundation welcomes the Call for Evidence document’s acknowledgment of this reality and supports its pursuit of pragmatic, evidence-based approaches that can operationalise the benefits of open technology into gains for EU’s competitiveness and technological autonomy.
Europe should build on and influence the global Open Source commons, rather than pursue isolated notions of “European Open Source.” Leveraging existing global projects and communities offers the fastest and most realistic path toward EU objectives on technological sovereignty and strategic autonomy. The technologies underpinning cloud, AI and emerging digital infrastructure already exist as openly governed global projects. Fragmented, Europe-only initiatives dilute impact and slow progress. Strategic upstream investment and participation in global commons maximises ROI, accelerates innovation, and strengthens Europe’s ability to shape critical technologies. There is insufficient time, funding, and talent capacity to recreate these ecosystems from scratch. The United States and China have been building their capacity in open source through commercial (estimated to be $7.7B/year) and public investments, respectively, for the past two decades and achieved great results that can inform Europe’s strategic plans for achieving digital sovereignty.
Scaling local commercial Open Source companies should be a core policy priority. Product and services companies built around open source should be included in the investment concepts of funding instruments such as the ScaleUp Fund, European Innovation Council programs, initiatives removing barriers to enter European markets such as EU Inc, as well as other industrial policy mechanisms in order to accelerate growth, enable global competition and retain European talent. Recent research from LF Research, Commercial Open Source Startup Alliance (COSSA) and Serena shows that Commercial Open Source (COSS) companies outperform closed-source peers in fundraising speed and both early stage and exit valuations. Commercial open source ecosystems can also be stimulated on the demand side by updating procurement practices, for instance in the upcoming Procurement Directive. Linux Foundation Europe feedback to the consultation.
Critical Open Source infrastructure should be hosted under neutral governance. Neutral hosting is essential to ensure balanced decision-making and to mitigate single-vendor risks, including licence changes, the creation of new vendor lock-ins, or risks linked to foreign acquisitions as well as foster rapid organic de facto standardization. This approach has been proven to sustain and grow large open source projects, often allowing competitors to collaborate on crucial and innovative technology and providing a basis for further development. Both the collaborative communities that create and steward open source software and the commercial ventures that monetise it require a neutral platform for scalable global collaboration, long-term stewardship, and connecting projects, industry, and public sector. The Linux Foundation and other open source foundations bring decades of experience in scaling and sustaining critical open source projects and would welcome continued collaboration with the European Commission. Such a collaboration with foundations would support EU objectives - by building on the existing global commons, sharing best practices, leveraging established projects and services, and, where appropriate, creating new local EU structures.

Question 1: What are the strengths and weaknesses of the EU open-source sector?

Strengths

European developers play a significant role in global open source projects, contributing to the technologies that enable most of the EU’s digital infrastructure, where 70–90% of code relies on open source.
Europe ranks second in the number of developers, as shown by the latest GitHub data, and takes the lead in the number of contributions.
The open source community reflects core European values - transparency, accountability, and interoperability - while also serving as a recognized pillar of digital sovereignty, helping prevent vendor lock-in.
The EU has been at the forefront of integrating open source into regulatory frameworks, as exemplified by concepts such as the “open source software stewards” in the Cyber Resilience Act, a step toward strengthening Europe’s digital security and autonomy.
The European public sector has been increasingly engaged in the strategic use of open source, with notable examples from France, the Netherlands, Germany, and other countries at local, regional, national, and European levels.

Weaknesses

Many European companies still consume open source without contributing proportionally, resulting in weak influence over critical technologies they depend on. European enterprises must move from passive consumption to active contribution and governance participation to reduce supply-chain risk, influence roadmaps, and regain strategic control over critical digital infrastructure. There are no European companies among the top 10 commercial organizations ranked by the volume of their employees’ year-to-date open-source contributions on GitHub.
Europe’s commercial open source scale-up pipeline remains underdeveloped, making it difficult to turn strong open source projects into globally competitive product and services companies, as well as retain talented European founders, especially when compared to the US.
Despite strong evidence of superior exits, commercial open source is not a critical part of European investment strategy. The business and investment climate encourages founders to seek regions with larger venture capital pools and more attractive exit opportunities, leaving European open source business development lagging behind.
Attempts to fragment or regionalise open source efforts risk isolating Europe from global ecosystems, reducing upstream influence and slowing innovation. Initiatives such as “Software made in Europe” risk limiting scale-up potential and discouraging participation in existing global projects, thereby forgoing accumulated expertise, good practices and talent. This is particularly detrimental for large European industries who are global in nature and leverage the global commons in their technology stacks.
Despite substantial EU investment, public funding remains spread across disconnected projects, overlapping initiatives and national silos, limiting scale, impact, and global influence. Future funding should focus on fewer, strategically selected projects with global relevance, coordinated governance, and clear pathways to adoption and sustainability.

Question 2: What is the added value of open source for the public and private sectors?

Open source delivers critical value to the public sector by reducing vendor lock-in, enhancing auditability, and increasing transparency across software supply chains. By participating upstream in global projects, governments and institutions can build technical capabilities, influence how software evolves, and ensure alignment with regulations and policy priorities. Open source also enables cross-border collaboration and reuse, as demonstrated by initiatives like the EU OSPO Network and the Digital Sovereignty European Digital Infrastructure Consortium, where municipalities, federal agencies, and even multiple countries can contribute and share solutions.

One of the examples illustrating the benefits of open source in the public sector is the adaptation of PyPowSyBl components by Baltic RCC. The Linux Foundation would be happy to share additional case studies and examples from across diverse verticals, public and private sectors, geographies and use cases.

Baltic RCC: Open Source for Interoperable, Compliant Grid Operations

Baltic RCC, the Regional Coordination Center responsible for electricity system security in the Baltic region, faced growing complexity as Europe’s power grid became more interconnected and renewable-heavy. To meet EU regulatory requirements (EU 2019/943) for a Pan-European network model, while avoiding vendor lock-in and long-term dependencies, Baltic RCC chose an open source, community-driven approach rather than proprietary software. It adopted components from LF Energy’s PowSyBl project, notably PyPowSyBl, to merge network models from multiple Transmission System Operators (TSOs), manage CGMES data exchanges, and run critical load-flow and “what-if” stability analyses needed for cross-border coordination.

By building a modular architecture on open standards and open source tools (including open message brokering, storage, and visualization components), Baltic RCC retained full control over its systems while ensuring interoperability across organizations and borders. The result is a compliant, operational Pan-European network model that supports grid resilience, regulatory oversight, and future evolution without dependence on a single vendor. This case demonstrates how open source technology can act as a digital public good for the energy sector, supporting interoperability, transparency, and long-term sustainability in line with EU digital government and infrastructure objectives.

In the private sector, open source accelerates innovation, lowers infrastructure costs, and levels the playing field for companies of all sizes, particularly SMEs, by providing access to globally recognized standards and technology. By contributing to and engaging with upstream projects, companies gain influence over the direction of foundational technologies rather than simply consuming them. While acceptance depends on maintainer review and community consensus under open governance, businesses can pay engineers to work on specific features, thereby shaping which areas receive the most attention and development.

Commercial open source software often outperforms proprietary alternatives, attracting investment and enabling firms to compete on quality, scalability, and innovation. Participation in open source ecosystems also mitigates dependency risks, fosters collaboration with leading global talent, and ensures that European companies remain strategically relevant in a competitive international market. Rather than creating isolated “European-only” software, participation in these ecosystems strengthens digital sovereignty.

Economics of interdependence

Open source forms the foundation of nearly all modern digital ecosystems, with most proprietary software built on open layers that are maintained and governed collaboratively. Its economic impact is substantial: European contributions to open source are estimated to generate €65–95 billion annually for EU GDP, while replacing existing open source components globally would cost $8.8 trillion. Value is created on top of the open layer, not by attempting to replicate it through closed, “EU-exclusive” alternatives. True sovereignty and competitiveness come from participation, influence, and open governance, allowing Europe to shape the global commons rather than be constrained by it. By embedding open source at the heart of policy, business, and public infrastructure, Europe can accelerate innovation, maintain resilience, and secure strategic autonomy across critical sectors.

Question 4: What technology areas should be prioritised and why?

The beneficial impact of open source has been shown in a variety of sectors. The Linux Foundation is uniquely positioned, hosting many of the largest and most influential projects across diverse technology areas, often with European leadership. Our Open Source Index and Landscape showcase these projects, together with numbers of contributors, health metrics of the community, software value and other indicators, categorised by technologies and industries. Such data offers insight into market dynamics and the influence of these projects. Some of the priority technology areas could include:

Cloud, edge, and telco infrastructure
AI frameworks and tooling (not just models)
Cybersecurity tooling and software supply chain
Digital identity and wallets
Industrial and automotive software stacks
Open hardware (RISC-V, embedded systems)

However, such prioritisation should take place after detailed analysis based on a comparable EU-level approach. A robust evidence base is needed on concentration and lock-in across the technology stack, interdependencies between components and vendors, the actual use and maturity of open source alternatives, and the implications of different strategic choices. This requires structured, ongoing data collection and dependency mapping across key domains, such as those mentioned above, to understand where open source is already viable, where dependencies concentrate around critical projects or actors, and where ecosystem weaknesses create systemic risk.

On this basis, the EU can credibly prioritise technology areas over time, focusing investment on strengthening upstream open source components and enabling substitution and modularity where strategic dependencies are most acute. For instance, many larger open source projects that are de facto standards do not necessarily need financial support, but would benefit from greater participation of European players to increase influence, while smaller or more critical foundation projects should be directly funded and supported via mechanisms such as the proposed European Sovereign Tech Fund.

NeoNephos: sovereign cloud native technology

NeoNephos is an open source initiative established by the Linux Foundation Europe under the IPCEI-CIS (Important Project of Common European Interest on Cloud Infrastructure and Services) framework. The project aims to provide a shared foundation for Europe’s cloud-to-edge infrastructure, addressing regulatory, security, and interoperability requirements. Its governance brings together technology companies, research institutions, and cloud providers - including SAP SE, Deutsche Telekom AG, CLYSO GmbH, and TNO ECOFED - to collaboratively develop cloud-native technologies based on open standards.

The project focuses on key areas such as open cloud infrastructure, digital sovereignty, and collaborative development. By using and adapting existing open source components, NeoNephos enables faster deployment, reduces duplication of effort, and ensures transparency and auditability of the software stack. These characteristics are important for European organizations seeking to maintain control over their data and infrastructure while complying with EU regulations.

NeoNephos also functions as a shared resource for other IPCEI-CIS projects, supporting interoperability and providing reusable tools and standards that reduce development costs and accelerate innovation. Its architecture and project portfolio build on upstream initiatives such as Sylva Project, whose work on telco-grade cloud and edge frameworks has provided important foundational concepts and reference approaches.

By aligning multiple initiatives under a common open source framework, the project demonstrates how coordinated, community-driven development can support Europe’s digital sovereignty objectives.

Question 5: In what sectors could an increased use of open source lead to increased competitiveness and cyber resilience?

Decisions on sectors of focus for increasing competitiveness and cyber resilience should be based on extensive research and analysis of industry data throughout verticals, and framed within a coherent policy framework aligned with EU strategic objectives, including technological sovereignty, security and competitiveness. Existing frameworks, notably the NIS2 Directive, already provide a strong reference point for identifying sectors where increased use of open source can most directly enhance competitiveness.

Across both Essential Entities (such as energy, digital infrastructure, and public administration) and Important Entities (manufacturing, food, digital services and research) organisations face similar structural constraints: heavy reliance on a small number of proprietary vendors, limited insight into software supply chains, escalating costs, and long-term lock-in. These challenges are amplified by high dependency risks, long lifecycle software, and a strong need for interoperability and trust in critical systems.

Case study – Sovereign Open Source Cloud Infrastructure

A good example is NUBO, a sovereign cloud operated by the French Ministry of the Economy and Finance and built using open source technologies from the OpenInfra Foundation, especially OpenStack. By adopting an open source cloud stack, NUBO reduced dependency on proprietary vendors, improved transparency and auditability, and strengthened control over its software supply chain. The project demonstrates how open source infrastructure can enhance cyber resilience, limit vendor lock-in, and support digital sovereignty in critical public-sector systems, while remaining compatible with stringent national security and compliance requirements.

Open source helps address these issues by enabling modular and interoperable systems that lower switching costs and reduce barriers to market entry, supporting a more diverse and competitive supplier ecosystem, including European SMEs and service providers. This is particularly relevant in sectors such as energy, digital infrastructure and public services, where reducing vendor concentration can directly translate into increased innovation, cost efficiency and strategic autonomy.

Beyond these core sectors, industry evidence shows that open source is increasingly enhancing competitiveness and cyber resilience across a wider range of NIS2-relevant verticals. In finance, open collaboration around data models, interoperability standards and AI controls reduces systemic risk, improves auditability and lowers barriers for new entrants in a traditionally vendor-concentrated market.

Spring Bot Case Study - Deutsche Bank

Financial services provide a clear example of how increased use of open source can strengthen competitiveness and cyber resilience while supporting digital sovereignty. One example is the case study from FINOS on Deutsche Bank, which documents the use of the open source Spring Bot framework to automate internal developer communications and workflows.

By adopting and contributing to an open source solution, Deutsche Bank reduced dependency on proprietary tooling, improved transparency and auditability of internal systems, and strengthened its ability to assess and manage security risks. This approach supports digital sovereignty by enabling greater control over critical software components, reducing vendor lock-in, and allowing security practices to be adapted to regulatory and institutional requirements. The case demonstrates how open source adoption in the financial sector can enhance operational efficiency, resilience, and trust, key factors for maintaining Europe’s competitiveness in highly regulated and security-sensitive domains.

Similar dynamics are visible in manufacturing, energy and mobility. Software-defined vehicles, industrial platforms and safety-critical systems increasingly rely on open operating systems and reference implementations, allowing manufacturers to focus investment on differentiation while benefiting from shared security and safety engineering. Examples include Automotive Grade Linux (AGL) for infotainment systems; ELISA, which develops guidance and tooling to enable Linux in safety-critical applications such as medical, aerospace, and automotive; and the Zephyr Project, an open source real-time operating system for resource-constrained devices.

Zephyr project addressing functional safety

The Zephyr Project is an open source project developing a small, scalable real-time operating system (RTOS) optimised for resource-constrained and embedded devices across multiple hardware architectures. It brings together silicon vendors, OEMs, and software providers under a neutral governance model to reduce development costs, improve interoperability, and accelerate time to market for connected devices, while offering a high degree of configurability, security, and long-term support.

The talk “Zephyr: Learnings From Working on Safety Certification in the Open” by Kate Stewart (The Linux Foundation) describes the project’s approach to safety, including the achievement of IEC 61508 concept approval in December 2024, ongoing work toward IEC 61508 and ISO 26262 certification, and the roadmap through 2026. This presentation provides useful insight into how an open source RTOS like the Zephyr Project is addressing functional safety and is recommended viewing for those interested in this topic.

In energy, open source has moved into production use for digital substations, grid management and EV charging, enabling interoperability across vendors, open security testing and faster adaptation to regulatory and technological change. Across these sectors, open source supports both competitiveness and cyber resilience by reducing dependency on proprietary platforms, improving visibility into software supply chains, and fostering more diverse and innovative ecosystems.

For cybersecurity, the transparency and auditability of open source software, combined with shared maintenance and peer review and coordinated vulnerability disclosure, are directly aligned with the EU’s risk-based cybersecurity approach as reflected in the NIS2 Directive, the Cyber Resilience Act (CRA) and the EU Cybersecurity Strategy. These characteristics enable earlier detection and faster remediation of vulnerabilities across the software lifecycle - provided that open source ecosystems are adequately governed, sustainably-resourced and supported by professional security processes.

In contrast to opaque proprietary software stacks, open source components allow continuous assessment of code integrity, security-by-design practices and traceability of software dependencies, which are central objectives of current EU cybersecurity policy. This is particularly relevant in the context of software supply chain security, where NIS2, DORA and the CRA emphasise risk management, dependency awareness and incident prevention across interconnected systems. Open source enables systematic mapping and monitoring of dependencies, supporting the production and maintenance of software bills of materials (SBOMs) and facilitating compliance with emerging regulatory requirements.

Targeting critical upstream dependencies, sometimes maintained by a small number of contributors, enables high-leverage interventions that significantly reduce systemic cyber risk. Strategic support for these dependencies through coordinated funding, security audits, long-term maintenance programmes and trusted governance structures can prevent single points of failure, reduce exposure to large-scale vulnerabilities, and improve incident response coordination across the Union.

Such an approach helps avoid fragmented or “build-from-scratch” solutions that increase attack surfaces, dilute security expertise, and create inconsistent security postures across sectors. Instead, it promotes the consolidation of security efforts around well-governed, widely adopted, and continuously maintained open source components, delivering resilience benefits that propagate across the entire software ecosystem, including critical infrastructure, public services and industrial systems.

By embedding open source within EU cybersecurity policy as a shared security foundation rather than a cost-saving alternative, the Union can strengthen collective cyber resilience, improve preparedness and response capabilities, and ensure that essential digital infrastructures are built on transparent, verifiable and trustworthy technologies, consistent with the EU’s long-term objectives for security, sovereignty and technological autonomy.

In this sense, open source functions as the WD-40 of competition, reducing friction, unlocking collaboration, and enabling faster, more resilient innovation across sectors.

Park&Charge and Qwello: Open Source as a Foundation for Resilient E-Mobility Infrastructure

When responsibility for 191 aging EV chargers in the Dutch province of Gelderland changed hands in 2024, Park&Charge and Qwello faced a common challenge in the fast-moving EV market: how to modernize legacy charging infrastructure without scrapping functional hardware or becoming locked into unsupported proprietary technology. Many of the chargers relied on vendor-specific software that could no longer be maintained, creating a high risk of stranded assets, an increasingly familiar problem in automotive and mobility infrastructure as early EV technology providers exit the market. Rather than replacing the chargers outright, Park&Charge and Qwello pursued a circular, software-defined approach aligned with long-term sustainability and interoperability goals.

By refurbishing the chargers with LF Energy’s open source EVerest software stack, combined with Qwello’s PhyVERSO charge controller, the operators transformed obsolete assets into modern, standards-based EV charging infrastructure. EVerest provided a vendor-neutral, interoperable software foundation compatible with a wide range of vehicles and backend systems, enabling high utilization rates and a reliable driver experience while preserving most of the existing hardware. The result is a future-proof charging network that reduces waste, lowers lifecycle costs, and can evolve with the rapidly changing automotive ecosystem. This case shows how open source software can act as a strategic enabler for digital mobility infrastructure, supporting interoperability, resilience, and circular economy objectives across the EV charging value chain.

Throughout the NIS-2 sectors and beyond, the Linux Foundation hosts a variety of large-scale industrial collaborations through open source such as FINOS (finance and digital payments), LF Networking (telecommunications), LF Energy (energy), Margo (manufacturing), Agstack and OpenAgri (European Union’s Horizon Europe research program), to name a few.

Additional initiatives and projects of interest include: CNCF, hosting a de facto standard for open cloud-native stacks; AI (PyTorch Foundation and AAIF); Operating systems (Linux and Zephyr RTOS); Security and Cyber Resilience (OpenSSF and its CRA initiatives, and Post-Quantum Cryptography Alliance for quantum-safe security); LF Decentralized Trust; and in the area of hardware and embedded systems, RISC-V International.

Question 3: What concrete measures and actions may be taken at EU level to support the development and growth of the EU open-source sector and contribute to the EU’s technological sovereignty and cybersecurity agenda?

We decided to answer Question 3 at the end of this document because its response builds on the input provided in the preceding questions. The following recommendations draw on earlier insights and address the three goals delineated in the consultation document:

(i) encouraging greater adoption of open source by public and private users, and encouraging organisations to contribute to open-source development;

(ii) boosting the development and competitiveness of the emerging EU open-source sector;

(iii) strengthening the position of start-ups in the innovation ecosystems.

Policy

Strengthen EU influence in global open source ecosystems: Focus on public sector and industries upstream contribution and active participation in existing global projects. Build European stacks on global open source software, with strong European participation and governance influence.
Promote open governance and interoperability: Support foundation-based governance structures over single-vendor models to ensure community-driven, long-term project sustainability and rapid technical integration through de-facto standardization.

Avoid fragmentation: “European open source” should mean European influence in the global ecosystem, not exclusion. Efforts to separate “European” from “global” open source would be impractical given the deeply interconnected nature of open technology, and would risk decreased security, reduced interoperability, as well as limiting access to the talent pool and potential positive economic impact for the EU.

Accelerate harmonization of the EU market: Reduce market friction for EU-based technology and open source adoption, through industrial policy incentives and initiatives such as EU Inc.
Procurement guidance: Update public procurement frameworks to reward not just usage but also upstream contribution to open source and use of interoperable technologies.
Economic impact monitoring: Establish recurring studies on the economic impact of open source, building on existing European Commission research, and include open source activity indicators in the Digital Economy and Society Index (DESI) to track progress systematically.

Create an Open Source Expert Group: Such a group would ensure continuity and dialogue between the European Commission and the broader open source community. It could connect policy measures to real software development practices and provide structured feedback loops between policymakers, foundations, developers, and industry users.

Funding

Commercialization support for open source companies in Europe. Enable clear pathways for scaling and international competition, create a circular economy for open source technologies, and integrate Commercial Open Source into key investment strategies and tools, such as the EU ScaleUp Fund.
Leverage venture capital and private-sector funding for open source ecosystems. EU policy should recognize that enterprise contributions and VC investment sustain upstream projects, drive thriving commercial ecosystems, reduce vendor lock-in, and advance EU strategic goals, complementing public funding and seed-stage support.
Create incentives for COSS companies to grow and remain in Europe. Align EU funding instruments with commercial open source growth, support balanced investment models that prevent concentration risks, and make Europe a competitive hub for open source entrepreneurship and international expansion.
Strategic participation in global open source commons. Fund European contributions to existing global projects rather than isolated Europe-only initiatives, maximizing ROI, accelerating innovation, and strengthening Europe’s influence on critical digital technologies.
Public–private partnerships and neutral foundations. Promote collaboration around neutral, vendor-independent platforms to maximize collective benefits, reduce systemic risks, and ensure long-term stewardship of critical infrastructure. Build on well-tested and successful governance and collaboration models.
Fund the EU Sovereign Tech Fund. Bridge the gap in sustaining critical, foundational layers of the open source ecosystem, improving cybersecurity and establishing a robust baseline for a thriving open source ecosystem in Europe. Policy instruments should differentiate between critical, under-maintained projects (which need direct support and funding) and more mature, self-sustaining, industry projects (which need lower barriers to entry, reduced regulatory fragmentation, and mechanisms empowering SME, startups, and large enterprises alike).

Capability / Talent

Education and training: Integrate open source into university curricula, emphasizing independence from proprietary frameworks and strengthening foundational skills in Linux, OpenStack, Kubernetes, PyTorch, MCP, and similar technologies, as well as in cybersecurity and digital skills (e.g. Cybersecurity Skills Framework, Developing Secure Software, open source best practices, OSPOs)
AI and emerging tech pipeline: Build talent in critical underlying open source infrastructure to maintain competitiveness in AI and cloud-native technologies.
OSS literacy for policymakers and procurers: Ensure decision-makers understand open source principles, governance models, and the implications for procurement and digital sovereignty. Involve open source projects, communities and organisations in education efforts and mutual exchanges.
Public administration capacity: Reinforce technical expertise in public institutions to support open source adoption, contribution, and maintenance.

About Linux Foundation

The Linux Foundation (LF) is a global, neutral non-profit that hosts and supports open source projects. It operates through regional hubs worldwide, including Europe, and provides shared services such as legal frameworks, governance models, technical infrastructure, security, and community management. It is home to many technology horizontal and industry-vertical specific foundations enabling collaboration between diverse types of entities (including competitors).
The Foundation itself does not dictate technical direction or own project code; it creates stable conditions for open collaboration. Foundation boards focus on strategy, fiduciary oversight, and budgets, while technical decisions are made by project communities through technical steering committees and maintainers. Governance is designed to separate financial contribution from technical authority.
LF has more than 2,000 member organizations, with funding broadly balanced across regions and deliberately capped to avoid capture. Roughly 40-45% of funding comes from the US, 25-30% from Europe, and 18-22% from APAC, 3-5% from Latin America and 2-4% from Middle East and Africa, no single member contributes more than about 3% of the total budget. Membership fees fund project infrastructure, staff support, security, and ecosystem development.
Decision-making in the Linux Foundation is decentralized and primarily happens at the project level. Technical influence follows a meritocratic model based on sustained, high-quality contribution, not contribution volume. While contributors who invest more time and resources naturally gain influence, all code is subject to peer review and community scrutiny. Low-quality or irrelevant contributions are rejected regardless of who submits them, and maintainers are selected based on demonstrated expertise, consistent high-quality contributions, and constructive participation in reviews and discussions.

Note on Commercial Open Source Software - insights from the State of Commercial Open Source 2025 report

Commercial Open Source Software (COSS) can be defined as companies whose products or services are built on publicly accessible source code - whether through OSI-approved licences, open AI model weights, or software that combines meaningful open source components with proprietary features. These companies operate commercially, often leveraging open source as a foundation for scalable business models, reflecting the evolving approaches to monetization, governance, and venture-backed growth in today’s software landscape.

Commercial Open Source (COSS) is a well-established venture investment category, accounting for an average of $9B per year across ~250 deals.
Mega-rounds in 2024 reflect high confidence in late-stage COSS category leaders: Databricks: $9.5B, xAI: $11B, Mistral AI: $600M (Series A).
The US is still the primary hub for VC-backed COSS companies, with 65% of companies being US-based — double the US share in overall software (33%).
Open source forms the backbone of modern software infrastructure; About 90% of venture-funded COSS companies design and maintain critical software infrastructure.
Development tools and core infrastructure are over 5x more likely to be commercial open source (COSS), with open source being the default go-to-market for investors & founders.
COSS companies outperform closed-source peers in fundraising speed and valuations at early stages. COSS exits are real: 12% of venture-funded COSS companies have reached M&A or IPO. They also get superior exit valuations (7x higher at IPO and 14x higher at M&A).
Highly valuable COSS companies cultivate integral & vibrant project communities: OpenSSF Criticality Score, the number of distinct contributors, & commit frequency correlate strongly with COSS valuations.
Communities benefit from COSS funding: 27% increase in distinct contributors, 2+ new contributing organizations, and 52% increase in release frequency following funding rounds.
COSS projects see significant community growth after funding — 8× more dependent projects, 7× more package downloads, and a 60% jump in GitHub stars.