Summary of the “Open Source Key Areas for Digital Autonomy” Workshop

April 16, 2024

Three Directorate-Generals from the European Commission (Connect, DIGIT and GROW) joined forces to organize a workshop in Brussels to discuss Open Source in four key areas for Digital Autonomy.

This workshop is a follow up on a study and workshops from 2022. The focus of this workshop was on the most relevant topics within open source. The first area was Cybersecurity and trustworthiness of ICT systems, which is of crucial importance in today’s Digital Europe. The second, was the transformation of the automotive towards a connected, carbon-neutral and customer-centric transport with the Software-defined vehicle (SDV). The third area focussed on the successful implementation of open source solutions in European public services. The final area focussed on the use of Open Source for developing Data Spaces.

After opening and welcoming presentations by Natalia Aristimuño (DG DIGIT B) and Pearse O’Donohue (DG CONNECT E) the workshop kicked off with a keynote by Alexandre Zapolsky (Linagora).

He reflected on the importance of open source and digital sovereignty and how EU member states are lagging in implementing open source with a clear call for action. In 2023 President Macron stated: “We love open source” and all public bodies should use open source. There should be more leadership and more budget for leaders of open source in the EC and member states. More power however needs a good strategy. Therefore the EC must engage with open source providers, like what is done through the European Alliance for Industrial Data, Edge and Cloud, and assemble a group of specialists on open source to define the strategy. Considering the top-down approach on the open source strategy didn’t work so far, the expectation is that the introduction of SIMPL, will contribute to improve the open source strategy.

Alexandre Zapolsky’s call for action: Increase the budget for a European open source strategy. For NGI only €25Mio was made available, for the open source transition this should be 10 or 50 times this amount. So, we can build the 3rd digital wave based on open source.

Cybersecurity

Cybersecurity and trustworthiness of ICT systems is of crucial importance in today’s Digital Europe. The ability of chips or software components to incorporate backdoors or malware embedded by a bad actor in the supply chain poses a significant thread in the ICT value chain. Open Source can be a way to develop and maintain a root of trust, throughout the supply chain.

Simon Phipps first provided a definition of open source:
Open source software is software released under a license that, by broad community consensus, grants all rights necessary to use, adapt, share and monetise the software in any way and for any purpose subject only to conditions that can be reasonably satisfied without negotiation with the licensors. See https://opensource.org/osd.

From the Cyber Resilience Act process, lessons can be learned, and it is clear a good definition of open source for legislations is needed. EC’s digital strategy for the CRA two main objectives were identified aiming to ensure the proper functioning of the internal market: 1) create conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and ensure that manufacturers take security seriously throughout a product’s life cycle; and 2) create conditions allowing users to take cybersecurity into account when selecting and using products with digital elements. The way the CRA is dealing with open source software however, one needs to be aware not to kill the goose that lays the golden eggs as the CRA could have hindered innovation. Companies collaborating in open source development and open source communities might think twice about doing open source if the risk of doing open source gets higher.

A differentiation is needed between the collaborative development of FOSS (upstream) and its commercial use (downstream). The CRA should not be applied to the collaborative development of FOSS but only when FOSS is used in products and services (downstream). As a result, non-profit organizations like the Eclipse Foundation, the Linux Foundation and COVESA (Connected Vehicle Systems Alliance) would not fall within the ambit of the CRA. The cybersecurity obligations should apply to the companies that bring FOSS to market and use it commercially, and not to the developers who make the FOSS source code available free of charge.

As open source software is used in a large part of commercial products, the open source approach to certification tools is to prove compliance based on sufficient evidence from various sources for automated assessments, such as OSCAL (Open Security Controls Assessment Language) developed by the National Institute of Standards and Technology (NIST) to enable automation of risk management and compliance framework based on security controls and functional requirements. Focus today should be on opening, the standardization process and engage the open source communities more. A staged process to make this work would be good, as today it feels like legacy and standards are lagging, as new tools come up every day. EC should levarage its economic power to address this at the standardization bodies.

Recommendation on the CRA processes:

  • Use a transparent platform to improve the interaction with the policy makers as today this is difficult / not possible as the open source community is not organized like a company.
  • Set up a dialogue where the open source community is invited to influence the cyber resilience act.

The CRA has created something new for OSS security: legally required compliance. Manufacturers now have obligations when placing OSS on the market and when integrating OSS as a component. Prior to the CRA, the open source community never faced such legally binding requirements in general, and in particular in terms of cybersecurity.

Software defined vehicle

Software-defined vehicle (SDV) refers to a transformation of the automotive design towards a connected, carbon-neutral and customer-centric transport. SDV refers to a novel electronics architecture design, where features, functions, and control algorithms are not hard-coded but flexibly implemented through the deployment of software packages, so-called separating the hardware design from software development where critical components of an automobile are decoupled and features,functionality, and operations are defined through software. In a fully programmable car, digital components—such as modules for safety and control, body and comfort as well as infotainment, and vehicle performance—would be continuously developed during the lifecycle of a vehicle and deployed through over-the-air updates.

In EU, the automotive industry is an example for open and collaborative research and innovation. Challenges in the automotive industry are many. Coming from the deeply embedded domain, the electronic control components, today the automotive industry deals with over 150 software stacks in a single car. Cars are on the street for over 20 years, so these software stacks need to be maintained and serviced for this entire lifetime. Open source therefore is in the middle of attention of the SDV developments in the collaborative initiatives from the automotive industry partners and OEM’s.

The gap between the value of using open source and contributing to development remains. This is also in the collaboration up-stream as it is still not a common part of design and development of products. Currently, the sovereignty and openness of the software is completely disconnected from the development process. A complete overview of open source use is not available.

Developing open source talent internally and encouraging involvement from developers across the organization is very much needed in the automotive industry. Currently 27 open source projects are working on the Eclipse Software Defined Vehicle (SDV). Focus is to bring open source closer to being certification-ready and exploit synergies with other initiatives. Principles are 1) Code first 2) Active participation 3) Vendor neutral 4) Transparent and 5) Openness.

The increasing complexity of the vehicle is increasing the need for software, a car is a system to connect with the Cloud-Edge-IOT continuum. The edge infrastructure is needed to enhance the driving experience. A car will be a robot so interaction and collaboration between the individual cars (actors) is important to ensure safety.

Today there are standards (now openly available) but the source code is highly proprietary still as development costs are very high. Creating software that is secure, is not just following a process because the process does not guarantee the quality of the code.

Applications, in the SDV domain, are more and more relying on connectivity, the bulk of energy consumed is in the communication part not necessarily in the data processing.

Today is on SDV, but it is about the Cloud-Edge-IOT continuum.

The EC is supporting the industry and started a discussion with major EU players in the automotive manufacturing supply chain. Digital skills are needed, and players are competing to extend their capacity on this. The risk is that parts of the development chain are under control of non-EU entities. So, it is important to not just find ways to collaborate, but it takes a mind shift to collaborate in a pre-competitive mode.

Critical for success of initiatives like CHIPS-JU is a collaborative eco-system.

Important question we need to answer is: “As open source is an important part of the projects in the industry. What happens if the industry doesn’t solve the issue between collaboration and competition?”

Single companies cannot afford the development costs. The tier 1 needs to develop and provide the code to be used by the OEM’s and take full responsibility. If we don’t get this right the EC automotive industry is out. The issue to solve is all about interfaces and the largest platform offering this will grow and be leading the market. So, collaboration in the automotive is important to survive, otherwise the market will hand-over the responsibility to the software industry. Therefore, we can’t sit back and wait for others to do the job. Participate and be a good citizen in the open source community. We need to manage and update software over a period of 20 years whereas software companies do not have this know-how as they have a lifecycle span of 2-5 years max.

It is important to remember that open source is not a license, it is a community. And this needs to be more recognized in the decision maker’s circle.

Fostering open source in European Public Services

This session shared experience of six panellists who successfully implemented innovative open source projects and solutions within their organisations. They all shared the challenges they faced, and the solutions adopted to overcome these challenges. Such strategies would encourage and help participants to plan better for their own ground-breaking open source initiatives.

David Grössing presented on the experiences of the Austrian National Bank when migrating from Oracle to the open source PostgreSQL. OeNB managed to migrate all services based on Oracle, except 1, as this is a 3rd party service based on Oracle. The migration was complex and with possible high impact on business process continuity. In the process 170Tb net data was migrated of which the largest Db to migrate was 42Tb, meaning 84hrs migration time. Also, here Murphy’s law applied, the 42Tb data needed to be migrated with a connected database of 26Tb. Annual saving achieved on license cost 650.000€ which is 3% of OeNB’s annual IT budget.

Key lessons learned from this migration process:

  • Create commitment at stakeholder level
  • Find proper support partner
  • PL/SQL is not easy to migrate, consider getting rid of it
  • Applications optimized towards Oracle are obviously harder to migrate than DB agnostic applications

In some case Exadata handles big data really well / a lot faster than Postgres

New Postgres improves performance (usually 10%); commercial products require new or additional licenses.

Leonardo Favario of PAGOPA then presented on the implementation of open source in digital services in the public sector in Italy. In Italy there are about 23000 public administrations. Interconnecting the main platforms was the challenge where an SME developed the underlying software service, under control of the public administration.

PAGOPA’s mission now is to enhance the digital transformation of Italy, through public-private collaboration. Connecting SMEs on the Public Services development, supporting open source, where FOSS is the natural approach to facilitate interactions among all ecosystem stakeholders.

Achievements:

  • Digital citizen app (APP IO): 50+ SMEs for 11000 public administrations handling 141000 services.
  • PagoPA‘: 80+ SMEs for 19000 public administrations

Challenges:

  • OSPO is needed to provide support upstream to integrate open source methodologies into the company.
  • Philippe Bareille, OSPO officer at the City of Paris (Mairie de Paris) presented on the open source journey of the City of Paris since 2001.

Achievements:

A city service engine called Lutece has been developed that provides a modular platform based on real needs over time, in constant evolution.
With Lutece, 250+ digital services are supported and 65% of the citizen relationships are managed. Currently some 30 cities / municipalities use it.
Strong footprint in the OSS ecosystem OSPO established to professionalise OSS management.

Challenges to overcome because sharing is not enough:

  • Governance – engagements to implement and BSD2 based license
  • Community management – dedicated time to spend, events, meet interested partners instead of just going to the github and helping yourself
  • Marketing / productising – cite libre software suite (pre-packaged solution)
  • Partnership and cooperation – reach out to SME, integrator, and partners

Today, CiteLibre is available with 3 full-featured digital services and 2 new services to be released. To foster adoption translation hackathons are organized abroad and the set-up of new communities has started.

Joel Lambillotte of Belgian iMIO, presented on the open source journey by local governments in Wallonia since 2004, starting in Sambreville. The challenge was to use more modern technologies to improve the internal operations and meet the citizens’ needs. Success was based on the collaboration between local developers and community to create generic business application for cities helped by the Union of Municipalities.

Networking and international recognition efforts were conducted with the FLOSS (Free/Libre Open Source Software) community to convince the Walloon government to officially support the project and create a permanent public structure iMio (intercommunale: public company created by municipalities in order to carry out public service missions of common interest), shifting from FLOSS to iMIO in 2012.

Challenges:

  • Public money not to be spent twice for the same development was hard to practice.
  • Quality assurance and coordination between different user communities was not funded. Larger cities who could fund, could also influence the agenda too strongly.
  • The challenge was that local communities / governments don’t know how open source communities work. Therefore, the solution is to keep the FLOSS philosophy: source code publication, collaboration with communities etc.

Open Source for Data Spaces

The session analysed how to provide and use as much as possible Open Source for developing Data Spaces, like the Public Procurement Data Space. To what extent the same toolset could be re-used by Member States? And how SIMPL can contribute to Digital Autonomy and efficient use of resources in this domain, and how Member States can benefit from data spaces, like the PPDS.

Alexandra Balahur presented on SEMIC, the Semantic interoperability community working to deliver pragmatic support to help build an interoperable Europe. Working on specifications of open and free to reuse data models, supported by and supporting pilot projects to scale up the interoperability maturity and providing a knowledge hub to foster interoperability and share knowledge.

Semic contributes by providing learning and other materials:

  • DCAT-AP is the standard solution to ensure metadata is exchanged smoothly across all data spaces. DCAT is based on an international standard from the World Wide Web consortium, Data Catalog Vocabulary.
  • LDES, a publishing strategy by which a data provider allows multiple third parties to stay in sync with the latest or historical versions of the data source in a cost effective manner.
  • Semantic registry to pave the way for increased reusability and discoverability of semantic assets throughout Europe.
  • Solid a decentralized web technology based on Linked Data for personal data management in the data spaces.

DG DIGIT’s role is to support data spaces with existing assets and services, as well as to establish synergies with stakeholders active in this field to provide a more comprehensive support.

Isabel Campos presented on Data Spaces and open source tools. Bootstrapping the EU Data Spaces is to boost the creation of an engaged community that will evolve the software and develop customized solutions. This is very much needed to support research on larger scientific challenges. The basis for this is availability and access to data. Research and analytics of data is driven by the power of digital technologies, like Cloud, Artificial Intelligence, Mobile technologies and more. The compute challenge is to reach higher performance and efficiency driven by new hardware and software technologies.

The software challenge focusses on the use of Machine Learning, Containerization of resources, virtualization, data analytics, data streaming and data storage.

The data challenge focusses on managing and sharing high data volumes, requesting bandwidth. The European strategy for data, creating a single market for data supports the availability and access to data. Open policies to support free flow of data across sectors and countries with respect to GDPR, providing a horizontal framework for data governance and data access.

Marc Christopher Schmidt, DG GROWS G.4 (business owner), presented on the Public Procurement Data Space. Purpose of the PPDS is to support, 250000 public buyers, who spend 2 Trillion € (14% GDP), covering all sectors from energy, transport, infrastructure, health, defense etc. As good purchasing boosts jobs and will help to make Europe greener.

To unlock the potential, there is need for access to good data and ability for analysis to make good policies. The PPDS is to improve EU. PPDS is the first common EU DS, funded through Digital Europe. The PPDS is collecting data from various data sources built around the eProcurement ontology. Based on open source, as it is financed with public money, the PPDS publishes open source code and avoids vendor lock-in. It allows all member states to replicate the data space.

Daniel Arosa, from NTTDATA, explained in more detail on the PPDS architecture and the open source used. The solution is creating a data space that consolidates the data from every public procurement data source in Europe by providing interoperability of the data through common semantics of the data (ePO Ontology). Additionally, PPDS provides data analytical capabilities to facilitate evidence-based decision making for buyers, economic operators and policy makers. The PPDS open source repository can be found at: code.europa.eu. PPDS follows the FAIR principle and full semantic approach for data management.

Gaël Blondelle, ECLIPSE presented on the role of open source foundations.

Open source is the foundation of Modern Software and there are diverse open source approaches, like GitHub, Single Vendor, Open Source Foundations (eg ECLIPSE) providing Open Source Governance.

Eclipse supports open source projects for Data Spaces to foster adoption and innovation. As developers adopt open source that enables, permissionless innovation and supports higher levels of experimentation.

Projects:

  • Eclipse dataspaces components IDSA
  • Eclipse cross federated services GAIA-X federated services
  • Eclipse Tractus-X CATENA-X automotive network

Open source leadership is to grow from technology strategy towards a business strategy increasing the customer value.

Eline Lincklaen Arriens, Capgemini Invent, community manager SIMPL, presented on the SIMPL programme. SIMPL is an open source initiative started January 1st 2024, it is the middleware meant to support dataspaces. For EC to pay once for a backend of dataspaces instead of multiple for each dataspace. A single backend to improve the ease of exchanging data between dataspaces. A €41Mio contract is established.

The vision on European Data Spaces is to create DS’s for large variety of topics bringing together high value datasets from public sector with focus on pooling and sharing of datal driven by stakeholders. The data spaces support center (DSSC.EU) is there to coordinate the development of data spaces and assuring common standards and interoperability.

SIMPL is the smart middleware solution for data spaces as part of the Technical Infrastructure for DS’s that further consists of Cloud-Edge-IOT services, High performance computing services, AI on demand and testing and experimentation facilities. For the Public Procurement Data Space and Destination Earth there is SIMPL-Lite. SIMPL Open will follow a standard process and will be open source under proper open source licenses.

The workshop then closed with some closing remarks by Leontina Sandu, HoU, DG DIGIT B2, European Commission and Pierre Chastanet, HoU, DG CONNECT E2, European Commission.