The Open Source Economy is Cracking and Europe’s SMEs are on the Fault Line

Open source software (OSS) is one of the greatest economic multipliers of the 21st century, without which none of our current software age would exist. Openly sharing the latest innovation between tens of millions of developers has led to a new renaissance of innovation. No wonder then that OSS now underpins 96% of all software codebases, powering everything from financial platforms to energy systems, spaceships, enterprise software, and AI itself.

However, the foundations of this shared system of trust and sharing are starting to crack. A handful of volunteers maintain a majority of this critical infrastructure. What may seem like a well-managed ecosystem is far more fragile than it appears.

For the thousands of small- and medium-sized enterprises (SMEs) and startups that comprise the backbone of Europe’s economy  this is more than a cybersecurity concern. It’s a systemic operational and economic risk.

The business risk: SMEs inherit vulnerabilities they never created

Working with businesses of all size across Europe, I observe a consistent pattern: SMEs do everything right on their own systems, yet still find themselves vulnerable to dependencies buried several layers deep. In the race to be fastest to market basics are forgotten and fundamental flaws accidentally adopted.

A typical application uses an average of 180 of open source libraries, which in turn depend on hundreds more. Many SMEs lack the tools or resources to fully map, let alone monitor, such large dependency trees. When a single component deep within that tree is abandoned or contains a critical vulnerability, SMEs have no warning until something breaks.

The Log4j incident in 2021 made this painfully clear. Businesses that had never heard of the library were suddenly required to audit every system they touched. Many found themselves burdened with forced downtime, not because of a failure of internal engineering capabilities but because monitoring and tracking the usage of a widely used dependency had been neglected for too long.

More recently this tale is being repeated with React2Shell – a very similar vulnerability in another nearly as popular JavaScript component that has prompted the US CISA agency to require all US Federal agencies to interrupt work and patch their software safely.

The matter of security then is not a matter slowing down of innovation for mindless compliance, but a fundamental need due to the modern digital threat scape.

Europe’s opportunity: policy momentum with practical applications

Europe is well on its way to setting a global standard for addressing some of the underlying problems. Regulations such as NIS2 and the Cyber Resilience Act are raising expectations for software accountability and secure-by-design development, including the use of open source components. This matters because it compels a shift toward documented, auditable practices across supply chains, rather than just relying on individual best efforts.

One proposed initiative is the EU Sovereign Tech Fund (EU-STF), intended to support maintenance and security of critical open source infrastructure, which could strengthen the ecosystem in ways individual businesses cannot.

If implemented carefully, Europe could support volunteer communities sustainably while showing the rest of the world what open source resilience looks like.

What founders and business leaders can do today

While policy will introduce new bars for security, SMEs can take meaningful steps now to support the ecosystem. The good news is that done right they can add to speed of development – not slow it down.

Here are the three actions that matter most – no coding skills required:

1. Understand your dependency footprint

Software bills of materials (SBOMs) are no longer optional. They reveal what you’re actually running, which maintainers you rely on, and what needs attention. Generating one for the software you’re building is simple – and it helps manage technical sprawl as businesses evolve.

2. Evaluate the health of the open source projects you depend on and give back

Metrics include release cadence, maintainer responsiveness, the number of contributors, and community governance. This can be as important as the code itself, helping you choose projects that have supported, healthy maintainers behind them. Even better, contributing back

3. Choose vendors that take supply chain security seriously

Ask suppliers how they monitor dependencies, how quickly they patch, and how they support maintainers upstream. Encourage responsible consumption.

Open source software has fuelled digital innovation for over two decades now, accelerating progress in Europe for entrepreneurs and policymakers alike. The next challenge is ensuring that this shared infrastructure is resilient enough to keep Europe’s entrepreneurs building safely on top of it.

In practice, this means having better tools, visibility, sustainable funding, and a shared responsibility mindset. Ultimately, the future of Europe’s digital economy rests on code most people never see. It’s time we invested in the people who keep that code alive.