FOSDEM has always been a mirror of the open-source ecosystem: its strengths, its tensions, and its future directions. Across the Open Source & EU Policy, Legal, and CRA in Practice devrooms, a consistent narrative emerged: European regulation, standards, and public investment are deeply entangled with the technical realities of open ecosystems.
This post highlights key insights from those FOSDEM tracks and reflects on how they align with — and challenge — what NexusForum is promoting.
From “Open Source and Policy” to “Open Source as Policy”
One of the most striking elements of the Open Source & EU Policy devroom was how far the conversation has evolved. Rather than treating policy as an external constraint imposed on developers, many talks framed open source itself as a policy instrument — a means to achieve public goals such as digital sovereignty, resilience, and interoperability.
Discussions around European digital sovereignty repeatedly rejected simplistic narratives of technological independence. Instead, speakers emphasised sovereignty as capability: the ability to understand, influence, maintain, and evolve the software that underpins society. This framing aligns closely with NexusForum’s emphasis on participation in global open ecosystems rather than isolation from them.
The implication is clear: Europe’s strategic autonomy depends less on “owning” software and more on sustaining strong, well-governed open communities that European actors actively contribute to.
Governance, Procurement, and the Digital Commons
Another recurring theme was governance — not just of code, but of the institutions that support it. Talks on public digital infrastructure and digital commons explored how public procurement, funding instruments, and governance models can either strengthen or undermine open ecosystems.
Several speakers argued that Europe already invests heavily in digital infrastructure, but often fails to do so in a way that reinforces open governance or long-term maintainability.
The message from FOSDEM was not that governments should “control” open source, but that public money comes with responsibility: responsibility to avoid extractive models, to support upstream communities, and to ensure that public sector adoption contributes back to the commons.
Regulation Meets Reality: CRA in Practice
The CRA in Practice devroom offered a ground-level view of what happens when ambitious regulation meets real software projects. Rather than abstract debates about the Cyber Resilience Act, speakers focused on tooling, documentation, community roles, and supply-chain visibility.
A key insight was that compliance is not just a legal challenge, but a socio-technical one. Many open-source projects lack the organisational structures assumed by regulation — formal maintainers, clear product boundaries, or resources for continuous compliance work. Talks highlighted emerging roles, such as community managers acting as compliance coordinators, and the growing importance of shared infrastructure for security metadata and attestations.
Legal Perspectives: Risk, Responsibility, and Unintended Consequences
Legal-focused sessions complemented the CRA discussions by exploring liability, risk allocation, and the unintended consequences of well-intentioned regulation. Several speakers warned that without careful implementation, regulatory pressure could consolidate power in large vendors while marginalising volunteer-driven or small-scale projects.
This concern directly intersects with NexusForum’s policy work: how to ensure that regulation enhances trust and security without hollowing out the diversity and innovation of the open ecosystem.
What emerged was not opposition to regulation, but a call for proportionality, clarity, and ongoing dialogue. Legal certainty matters — but so does acknowledging the unique nature of open collaboration, where value creation and responsibility are often distributed.
“Free as in Burned Out”: The Human Cost of Open Infrastructure
Perhaps the most emotionally resonant moment came from the main-track talk “Free as in Burned Out: Who Really Pays for Open Source?”. The talk cut through technical and legal discussions to focus on the human cost of sustaining digital infrastructure that everyone depends on.
Burnout, invisible labour, and precarious funding models were framed not as individual failures, but as systemic outcomes of how open source is consumed and valued. The speaker challenged the audience — including policymakers — to rethink sustainability beyond donations and goodwill.
Looking Ahead
FOSDEM 2026 made it clear that the open-source community is no longer merely reacting to digital policy — it is actively shaping it. The challenge now is continuity. Conversations at conferences must translate into ongoing collaboration, feedback loops, and shared understanding.
