Open Source Congress 2025

The third Open Source Congress took place in Brussels on 16 September 2025. This annual gathering brings together code-hosting open source foundations and partners to align on critical issues facing the ecosystem. The Eclipse Foundation hosted the event, which focused on four key topics: open source in a multi-polar world, cybersecurity, sustainability, and regulation and public policy. The primary value of such gatherings lies in alignment and exchange rather than concrete actions. Since Open Source Congress operates under Chatham House rules and is less accessible than typical open source events, sharing insights from the discussions serves the wider community. Below are personal observations from the four panels.

Panel 1 - Open Source in a Multi-Polar World

The open source ecosystem was multi-polar from its inception. Key open source innovations originate from various regions: Ruby from Japan, Linux and Python from Europe, the GNU Project from the US. The US tech industry was quicker to realize open source technologies as a growth driver, allowing US business interests to overlay this narrative today. However, nothing is inherently polarizing in how the open source ecosystem works. It serves as both creative destruction and resilience mechanism, undermining traditional control structures while remaining largely unregulable. Cultural and language barriers continue to shape how and where contributors collaborate, making truly global collaboration a key challenge. There is optimism that AI will provide instant translation mechanisms to bridge such divides. Maintaining arms-length distance from policy making remains essential to preserve open source’s organic governance. At the same time, regulation will inevitably affect the ecosystem’s global dynamics. The EU Cyber Resilience Act is the first law explicitly shaping stakeholder roles. While progress has been made in building capacity and expertise for open source foundations to engage in policy debates when necessary, much work remains.

Panel 2 - Cybersecurity: Influencing Best Practices and Standards

A global race to define cybersecurity standards creates a maze of regulation across international markets. While this challenges global manufacturers, open source communities face few concrete regulatory obligations. However, to enable global adoption of their releases, they are strongly incentivized to support downstream users with documentation and sound cybersecurity practices. Creating an environment conducive to smooth upstream-downstream collaboration requires open source foundations to engage in relevant standards development processes that define implementation details of cybersecurity regulation. This remains difficult, as most stewards lack both funding and subject matter expertise for standards development. The panel revealed tensions between traditional open source collaboration and emerging bureaucratic frameworks at organizations like the UN and DPGA, warning that OSS risks losing its core strengths when bent to external rules. The discussion emphasized that effective policy engagement should facilitate organic collaboration and create market-driven incentives rather than impose rigid bureaucratic structures. Initiatives like the Linux Foundation’s Alpha-Omega serve as effective funding instruments that align with open source principles. In recent years, public initiatives like the German Sovereign Tech Agency increasingly support under-maintained projects. Under guidance from Open Forum Europe, a feasibility study has been submitted to the EU to elevate such activities to the European level with a larger budget.

Panel 3 - Sustainability and the Open Ecosystem

The sustainability of the open source development model is hotly debated. The underlying issue appears to be a mix of insufficient funding and a fundamental “matchmaking problem” of allocating available funds to specific projects and contributors efficiently. While the myth that open source is the unpaid labor of love of hobbyist maintainers still percolates, the 2024 Open Source Software Funding Survey shows that 86% of contribution value comes from employee labor. This study raises challenging questions. On one hand, what will be the effect of 50m€ public funding initiatives if $7.7B is invested by private industry annually? On the other hand, if more funding becomes available, how will it be distributed? Grant making will profoundly impact the viability of individual projects, raising concerns about public sector actors’ ability to effectively disperse sovereign-tech-fund-like funds where they are needed most, rather than to favored champions or consultancies specializing in grant acquisition. However, such initiatives will likely support ecosystem diversity and grassroots initiatives, which may be a benefit worth the cost. Some funding programs focus on maintenance or security, creating a risk of fragmenting development work by separating improvement, maintenance, and security responsibilities. Since implementing new features is always most fascinating, the impression that maintenance and cybersecurity are somebody else’s problem must be avoided. Emerging models favor market-driven approaches like the EU CRA, which creates business incentives for maintenance work and eliminates freeloading, potentially contributing more to open source sustainability than public spending programs that struggle with coordination and measurement challenges.

Panel 4 - Regulation and Public Policy

The final session was essentially a moderated Q&A round. A cluster of questions evolved around how external forces now influencing the open source world will reshape open collaboration dynamics. The release-early-release-often, show-me-the-code mentality drives experimentation and a somewhat Darwinian trial-and-error approach to identifying promising projects. Voluntary participation ensures that projects receive attention according to their value to the community. Interestingly, funding programs based on selective awards are expected to bias these mechanisms more than market access regulation. Future research is needed to verify this expectation. However, regulatory approaches will fundamentally reshape the ecosystem by influencing adoption criteria for components, driving consolidation of fragmented libraries into fewer, more maintainable packages and addressing collective action problems around responsibility and decision-making in policy advocacy. This will affect different communities differently, depending on factors like the granularity and maintainer base of package repositories. However, there is a prevailing assumption that smaller communities and their stewards will face greater challenges than larger ones.

Looking Forward

Open Source Congress represents more than an annual conference. It embodies the vision of ongoing collaboration among open source foundations to address the ecosystem’s evolving challenges. The facilitating of coordination between stewards serves at least two purposes: bridging cultural and language divides that have historically fragmented global collaboration, and building the collective capacity needed to engage effectively with increasingly complex regulatory environments. While the tension between preserving open source’s creative autonomy and meeting external compliance requirements will continue to influence the ecosystem’s future, the foundation community’s growing expertise in policy advocacy and standards development positions it increasingly better to navigate these challenges. The conversations at this year’s Congress suggest that open source’s greatest strength, its ability to adapt and evolve organically, will ultimately enable it to thrive within, rather than despite, the new regulatory landscape.