$ cd .. all posts
grzegorz@bartman:~/blog/open-source/sovereign-tech-fund-how-germany-funds-critical-open-source.md
_ ×
Open Source
date: 2026-05-17 · read: 17 min · author: Grzegorz Bartman

Sovereign Tech Fund: how Germany funds critical open source

Open source is now the foundation of many systems used by companies, public administration and ordinary users. Some important projects are still maintained by small teams or even single individuals. Germany treated this problem as a matter of public infrastructure and launched the Sovereign Tech Fund.

The fund is an interesting example of a practical approach to digital sovereignty in Europe. Instead of stopping at slogans about independence from Big Tech, Germany created a mechanism that pays for concrete work in concrete open source projects.

Why open source became infrastructure

Many companies use open source every day, even if it is not always visible on an invoice from a vendor. Programming libraries, frameworks, package managers, security tools, servers, operating systems, protocols and developer tools are built into thousands of products.

Public administration has similar dependencies. Government systems, websites, cloud solutions, document workflows and internal applications usually rely on many open components.

The scale of usage often does not match the scale of funding.

A project may be used by millions of applications and still be maintained by a few people. Sometimes by one person working on it after hours. As long as everything works, few people pay attention. When a serious security vulnerability appears, it turns out that banks, online stores, offices, hospitals and large technology companies depend on a small project.

Log4j is a good example. One vulnerability in a popular Java library caused a global security problem. It showed how many systems can depend on one component that most users have never seen directly.

What is the Sovereign Tech Fund

The Sovereign Tech Fund is a German public funding program for key open source technologies. It supports the development, security and maintenance of open digital base technologies.

Germany uses the term “open digital base technologies”. This means the layer below user-facing applications: components that developers and administrators use to build other systems.

Examples include:

  • programming libraries,
  • package managers,
  • implementations of communication protocols,
  • administration tools,
  • developer tools,
  • encryption technologies,
  • security tools,
  • standards and infrastructure components.

The list of supported projects includes OpenSSH, curl, WireGuard, OpenSSL, PHP, Drupal, systemd, FreeBSD, GNOME, FFmpeg, OpenStreetMap, Let’s Encrypt, Mastodon and the Python Software Foundation.

The Sovereign Tech Fund does not finance another set of end-user applications. It is not looking for typical messengers, portals or file storage systems. It focuses on the layer on which such systems are built.

How the fund was created

Before the fund was launched, a feasibility study was prepared. Its authors checked how open digital base technologies could be supported and which funding instruments would make sense.

The Sovereign Tech Fund started operating in September 2022 within SPRIND GmbH, the German Federal Agency for Disruptive Innovation. The official launch took place on 18 October 2022 in the Bundestag.

At first, it was a pilot. According to the pilot phase report, around EUR 1.3 million was budgeted for the fourth quarter of 2022, and around EUR 1.25 million was spent on setting up the program and the first round of nine projects.

The pilot included:

  • OpenMLS,
  • curl,
  • WireGuard,
  • OpenSSH,
  • Bundler and RubyGems,
  • OpenBGPd,
  • Sequoia PGP,
  • Fortran Package Manager,
  • OpenPGP.js and GopenPGP.

This list shows the way the fund thinks. It includes components needed for security, communication, software packaging and the functioning of the internet. Trendy apps with a nice interface are outside the main scope.

How the Sovereign Tech Agency works

The Sovereign Tech Fund now operates within a broader organization called Sovereign Tech Agency GmbH. It is a subsidiary of SPRIND.

At the beginning, the fund was incubated at SPRIND. After the first year, Germany decided that the program should become a permanent organization. In 2024, the Sovereign Tech Agency was created as the home for the fund and additional programs.

According to the official FAQ, the agency is now financed by the German Federal Ministry for Digital Transformation and Government Modernisation. Older materials refer to BMWK, the Federal Ministry for Economic Affairs and Climate Action. When analyzing budgets, it is therefore worth checking the publication year of the source and the current division of responsibilities within the German government.

The agency is led by Adriana Groh, Luisa von Beust and Fiona Krakenburger. Formally, according to available register information and the legal notice, the managing directors are Adriana Groh and Luisa von Beust. Fiona Krakenburger is CTO and is responsible for technology strategy and investments.

This is not a loose community initiative. It is a publicly funded organization operating within Germany’s institutional system, but with a team that understands open source.

How the funding works formally

The fund does not work like a classic grant program for hobby projects or like a venture capital fund. It is closer to a public mechanism for commissioning work on critical digital infrastructure.

The process works roughly like this:

  1. The state provides public funding.
  2. The program runs through a specialized organization.
  3. The team scouts important open source projects and accepts applications through a platform.
  4. Projects are evaluated according to public criteria.
  5. After a positive review, the scope of work is refined.
  6. The agency consults external experts.
  7. A contract is prepared.
  8. Payments are connected with invoices and progress reports.
  9. A final report is prepared after the project ends.

According to the OSOR case study, the fund operates under German public procurement law. Germany is not simply “giving money to open source”. It commissions specific work that matters for the security and stability of digital infrastructure.

Who can apply

The Sovereign Tech Fund accepts applications from all over the world. Germany did not limit the fund to German or European projects.

If German administration and German companies rely on a global open source project, improving that project also strengthens the German economy and public administration.

Different types of applicants can apply:

  • individuals,
  • companies,
  • foundations,
  • open source communities,
  • fiscal hosts, meaning entities that handle the finances of a project,
  • other organizations able to sign a contract.

If the applicant is not the main maintainer of a project, they need to show that they are in contact with the maintainers or the community and that the planned work has their support.

This fits open source well, because project structures differ a lot. Sometimes a project has a foundation. Sometimes a company. Sometimes only a group of people. The program needs to handle that, otherwise it would exclude many important projects.

What criteria are used to select projects

The Sovereign Tech Fund evaluates projects using six main criteria.

The first criterion is prevalence. The fund checks whether the technology is widely used by other technologies. It is not only about GitHub stars. What matters more is whether other systems depend on the project.

The second criterion is relevance to important sectors. A project may be important for education, healthcare, energy, industry, public administration or security.

The third criterion is vulnerability. This includes underfunding, lack of people, technical debt, maintainer burnout or dependence on one person.

The fourth criterion is public interest. The fund needs to see that the funding will benefit society or critical sectors.

The fifth criterion is the quality of the proposed activities. The team checks whether the plan is realistic, whether the budget matches the scope and whether the work will actually improve security, stability or maintenance.

The sixth criterion is expertise. Applicants need to show that they have the knowledge, experience and trust of the project community.

These criteria could also be used in Poland. They are clear, practical and do not reduce the process to the question of who wrote the better application.

What the application process looks like

Applications are submitted through an online platform. At this stage, the Sovereign Tech Agency does not want additional materials by email. The application must be in German or English.

The process has several stages.

First, the team checks the formal requirements. The project must concern open digital base technologies. Code and documentation must be licensed in a way that allows free use, modification and redistribution. For code, OSI-approved or FSF Free/Libre licenses are accepted.

Then projects that pass the first stage are evaluated according to substantive criteria. This stage may take up to 10 weeks.

If the evaluation is positive, the scoping phase begins. A program manager talks to the applicant, clarifies open questions, refines the budget, scope of work, milestones and project description.

The agency then consults the project with external open source experts and practitioners. Their perspective is taken into account in the final selection.

The last stage includes legal review, compliance checks, preparation of documents and the contract. This stage may take up to 8 weeks.

The whole process, from submission to a possible contract start, takes about 6 months.

What amounts are involved

The current minimum is EUR 50,000. The cost of the work described in the application must exceed that amount.

The previous minimum was EUR 150,000. The fund lowered it to EUR 50,000, because that amount is a better fit for many maintainers who cannot immediately commit to a full-time engagement.

The pilot phase report described the model with these parameters:

  • EUR 50,000 to EUR 500,000 per project,
  • 6 to 24 months of project duration,
  • around 30 projects per year,
  • around EUR 10 million in annual funding volume,
  • additional support, such as audits, consulting and coaching.

The current program page does not provide a fixed upper limit. According to the OSOR case study, in practice investments have reached around EUR 1 million.

In its first year, the Sovereign Tech Fund invested EUR 15.25 million in 40 technology projects. In 2024, official materials referred to EUR 23.5 million invested in total in more than 60 technologies.

According to the current technology page, the agency has identified 195 critical technologies, supported 108 technologies and commissioned work worth EUR 37.3 million.

These numbers need to be read carefully. Some sources show annual budgets. Some refer to the value of commissioned work. Some combine the fund with additional programs. The scale is clear though: this is no longer a small experiment, but a permanent mechanism for funding digital infrastructure.

What the fund finances

The fund finances work that is not very visible to users, but is important for project stability.

Examples include:

  • security fixes,
  • bug fixing,
  • code modernization,
  • improving release processes,
  • tests,
  • documentation,
  • code audits,
  • CI/CD work,
  • reducing technical debt,
  • maintaining key features,
  • paying project maintainers.

The market does not pay well for these tasks. A company will gladly pay for a feature it needs in its own product. It is less likely to pay for rebuilding the internal architecture of a library used by everyone. Yet this is often the work that decides the security and stability of the whole ecosystem.

What reporting looks like

Reporting is meant to be lightweight. Heavy bureaucracy would discourage many open source projects.

According to the FAQ, regular reports are usually connected with invoicing. The reporting format is agreed between the project and the program manager. It may be an email, a bullet list, a short summary or links to pull requests.

At the end of the project, a final report is required. It should describe:

  • what impact the funding had on the project,
  • what was completed,
  • what problems appeared along the way,
  • what impact it had on the community,
  • what the next steps are.

The state needs to know how public money was spent. At the same time, it should not require small open source teams to provide the same documentation as large contractors in traditional public tenders.

What programs exist alongside the fund

The Sovereign Tech Agency is no longer only the main fund. Several additional programs have been built around it.

The Sovereign Tech Fund is the main program for investing in open digital base technologies.

Sovereign Tech Resilience focuses on security and project resilience. It includes direct contributions to projects, code audits and bug bounty and fix bounty programs.

Sovereign Tech Fellowship supports the people behind the code. This includes maintainers, community managers and technical writers.

Sovereign Tech Challenge uses a competition model to look for new solutions to specific problems in the open source ecosystem.

Sovereign Tech Standards supports open source maintainers participating in standards work, for example at IETF, W3C and ISO.

Funding code alone is not enough. Security, documentation, people, standards and cooperation between projects also need funding.

Why this is part of digital sovereignty

Digital sovereignty often sounds like a political slogan. Here, it means specific things.

The state and companies should know which technologies they depend on. They should be able to audit them. They should have access to competence. They should be able to maintain critical systems even when vendors or geopolitical conditions change.

Open source helps because it gives access to code and the ability to develop software independently. But access to code alone is not enough. If nobody pays for maintenance, tests, security and project care, openness does not solve the problem.

The Sovereign Tech Fund shows that difference well. Saying “let’s use open source” is not enough. Someone also needs to pay for maintaining it.

What this means for Poland

Poland should look closely at this model.

It does not need to copy it one to one. Germany has different institutions, a larger budget and a different position in Europe. The mechanism itself is practical.

Polish public administration and Polish companies rely on the same global open source components. We use libraries, frameworks, server systems, security tools and standards. If they are weak, underfunded or dependent on one person, the risk also affects us.

A similar fund in Poland could finance:

  • components used in public administration,
  • libraries and tools used by Polish companies,
  • security of popular open source projects,
  • code audits,
  • documentation and tests,
  • release processes,
  • maintainer work,
  • participation in standards work,
  • maintenance of open systems used by the public sector.

Poland does not need another program for prototypes. A mechanism for funding the maintenance of what we already use would be more useful.

What a Polish pilot could look like

I would start with a small 2-year pilot, without building a large agency right away. The program could operate within an existing institution, but it should have a separate team, a clear brand and people who understand open source, security and public procurement. As a working model, I would imagine a budget of PLN 10 to 20 million, 10 to 20 funded projects, amounts from PLN 200,000 to PLN 1 million per project, lightweight reporting and a public report after the first year.

Such a program should combine two modes. The first is open applications, where projects can apply themselves. The second is active scouting of components on which Polish administration and the economy depend. This second mode matters, because the most important projects do not always have people who will write applications. Sometimes you need to reach them and offer funding for specific work.

Before launching, several issues need to be decided: whether Poland funds only domestic projects or also global projects used in Poland; whether the beneficiary can be an individual, company, foundation or fiscal host; whether money flows through grants, contracts or a mixed model; how criticality is measured and how results are checked. Poland does not have to invent everything from scratch. In 2025, the European Commission established the Digital Commons EDIC, and Poland appears there as an observer. One of the first projects is supposed to be a pilot European Sovereign Tech Fund in cooperation with the German Sovereign Tech Agency.

What this model has to do with Drupal

I also look at this topic from the perspective of the Drupal world. Drupal has been used for years to build websites for administrations, universities, public organizations and large companies. If the state wants repeatable, accessible, secure and inexpensive-to-maintain websites, Drupal is one of the natural candidates.

Australia is a good example. It has GovCMS, a government CMS and hosting service based on Drupal. According to the official GovCMS website, it supports more than 370 websites for more than 115 agencies at different levels of government. This shows that a state can treat Drupal not as a one-time technology choice for one website, but as shared infrastructure for many institutions.

A similar mechanism in Poland could produce large savings. Instead of every city, municipality or office ordering a custom-built website from a different company, Poland could create and maintain a shared Drupal starter: with ready content architecture, accessibility, security, integrations, visual standards and modules needed by local governments. Companies could still implement, adapt and maintain such websites, but public money would not be spent on rebuilding the same basics from scratch every time.

What to watch out for

Such a fund can easily be spoiled.

The biggest risk is the classic grant logic. If the program rewards nice applications, tables and formal descriptions instead of real technical value, the money will not go where it should.

The second risk is too much reporting. Maintainers of small open source projects often do not have administration departments. If handling the funding is too difficult, the best people simply will not apply.

The third risk is capture by large service companies. Companies can be good contractors, but the fund should make sure that the work has the acceptance of the project community and strengthens shared infrastructure, not only one vendor’s product.

The fourth risk is too narrow a scope. If Poland funded only projects run in Poland, the impact would be limited. Many critical components are global.

The fifth risk is too broad a scope. If the fund starts financing any applications, portals and prototypes, it will stop being an infrastructure fund.

How to measure the effects of such a program

In open source, not everything can be measured with simple indicators. A lot of value may come from the fact that an outage did not happen, a security vulnerability did not appear or a project became less dependent on one overloaded person.

That is why quantitative and qualitative data should be combined.

You can measure:

  • completed milestones,
  • security fixes,
  • reduced backlog,
  • more active maintainers,
  • improved documentation,
  • quality of tests,
  • stability of the release process,
  • response time to issues,
  • API stability,
  • adoption by administration or companies,
  • impact on the project community.

After funding ends, it is also worth talking to projects. Repository metrics alone will not show whether the money really improved the situation. Sometimes the more important information is that the project gained a second maintainer, improved documentation or cleaned up the release process.

Why this matters for companies

The Sovereign Tech Fund is also an important business signal.

If states start treating open source as infrastructure, services around open source will matter more. Companies will need not only implementations, but also maintenance, audits, support, integrations and regulatory compliance.

This applies to areas such as:

  • CMS systems and web portals,
  • ERP systems and document workflows,
  • internal company portals and intranets,
  • systems for public administration,
  • programming libraries and frameworks,
  • security tools and code audits,
  • migrations from closed systems to open solutions,
  • long-term support for open source infrastructure.

Open source is no longer only a cheaper alternative to commercial software. It is increasingly becoming a strategic technology decision. If a company or public institution wants to use it seriously, it also needs to think about maintenance.

Summary

There is already a lot of open source in Polish institutions. But the decision to use it is often made from the bottom up: an office, a team or a contractor chooses a specific system and then customizes it separately. In practice, many similar institutions later pay for very similar work.

Some of these decisions could be moved higher and made more consciously for public administration. If many offices need a similar module, integration, plugin or security fix, a fund could pay for its development. The code would then go back to open source, and other institutions could use it without rebuilding everything from scratch.

This approach is already visible in the Drupal world. Australia has GovCMS, and the European Commission publishes ec-europa repositories on GitHub with tools and components used in its web projects, including Drupal projects. The principle is simple: if public administration is already financing the development of websites and systems, part of that money can build a shared base that the next institutions can reuse.

The greatest value of a Polish equivalent of the Sovereign Tech Fund would not be giving money away. It would be a mechanism that turns individual, scattered customizations into public improvements of shared infrastructure.

You can look at it a bit like a motorway. Everyone uses it, so it makes sense to maintain and improve it together. If a lane needs to be added, an exit improved or safety increased, each city does not do it separately for itself. Open source in public administration could work in a similar way: one well-funded improvement could later serve many institutions.

Grzegorz Bartman

Grzegorz Bartman

Co-CEO & Co-founder of Droptica, a Drupal agency. Co-organizer of DrupalCamp Poland since 2012. Writes about open source, productivity, and hardware.

@bartman · LinkedIn · GitHub · Drupal.org
## related_posts

You might also like

5 min read

n8n on VPS: Step by Step from Bare Ubuntu to Running n8n

n8n lets you easily create automated workflows between various services (Jira, Slack, email, OpenAI and many more). You can self-host it for full control over your data and costs.

Open Source
read more
6 min read

Open Source for Companies: When Does Open Source Software Bring Real Savings?

The main reason for choosing open source in a company is saving on software costs. However, open source doesn't always mean savings. I'll explain when using open source actually translates to reduced spending.

Open Source
read more
3 min read

Apps I Use on macOS (2024)

Open Source
read more
← PREVIOUS
Computer for Web Development