Summary7 min read

Podcast Summary: EU Scream – Ep.129: Sovereignty and Software

Date: June 22, 2026

Host: James Kanter
Guest: Dries Buytaert (Founder, Drupal; Advocate for European Open Source)

Overview

This episode of EU Scream dives deep into the critical intersection of technological sovereignty, digital policy, and the rise of open source software in Europe. Against the backdrop of US political shifts and increasing anxieties over tech-driven authoritarianism and surveillance, host James Kanter interviews Dries Buytaert—creator of the widely-used open source system Drupal and a leading figure promoting open source as Europe’s best defense against dependency on US and Chinese digital infrastructure. Together, they discuss why open source is vital for sovereignty, the challenges facing European tech autonomy, and the nuanced, sometimes surprising, ways software licensing, cloud infrastructure, and political reality interact.

Key Discussion Points & Insights

1. Big Tech, Sovereignty, and Growing Geopolitical Risks

Main Concern: The world’s digital backbone is controlled by a handful of US tech giants with close government ties. Fears have emerged over how a more autocratic US administration could leverage this for surveillance and control, potentially ushering in an era of "technofascism" (00:03–03:27).
- Notable Moment: The International Criminal Court prosecutor’s Microsoft email was cut off following the issuance of an arrest warrant for Israeli PM Netanyahu (01:22).
- EU’s digital sovereignty agenda includes investing in chips, data centers, European tech alternatives, and especially open source, which makes switching providers more feasible.

2. Open Source as an Antidote to Tech Oligopoly

Open source allows users to adapt, inspect, and fork software, preventing vendor lock-in. This aligns with Europe’s desire for more autonomy – what Buytaert calls a "spare key" to critical infrastructure (03:28–05:29).
Buytaert supports a pragmatic approach: software sovereignty comes from license type, not company headquarters. Buy European? Only "durable" via open licensing.

3. Techno-fascism, AI, and Platform Power

The linguistic shift from democratizing tech to worries over AI-driven governance and unchecked platform power (06:08–09:56).
- Quote: “We basically have a handful of billionaires… They control large language models, compute, platforms, and increasingly the information space.” —Dries Buytaert (06:36)
Buytaert calls for regulation, suggesting something like an "FDA for algorithms" to audit major societal impacts.

4. Drupal’s Global Adoption & the Politics Behind Platform Choice

Drupal as modular, customizable, and open—chosen for complex use cases in government and enterprise (09:56–13:45).
Changes in US administration led to shifts from Drupal to simpler platforms, stripping out participatory and multilingual features (12:00–13:45).
- Example: The Obama administration’s "We the People" petition platform empowered direct democracy, abandoned under Trump.
The weaponization of government websites, deletion of datasets—demonstrate tech choices are political.

5. Origins and Ideology of Open Source

Buytaert’s background: Influenced by Linux community and Stallman’s Four Freedoms, but less dogmatic, more commercially open (15:10–19:41).
- Quote: “I deeply believe in the four freedoms… but I also believe in making money and building commercial ecosystems.” (18:42)

6. Open Source Licensing: The Practicalities of Sovereignty

GPL vs. MIT License: GPL (used by Drupal) compels derivative works to remain open, ensuring code remains accessible and shareable; MIT is more permissive (20:07–21:38).
Linus’ Law: “Many eyes make bugs shallow”—the security benefits of public code audit (23:00–24:29).

7. Security, Vetting, and the Myth of Open Source Vulnerability

Buytaert describes robust vetting in mature open source projects—changes require multiple sign-offs, often 20+ reviewers (25:02–26:10).
Drupal’s cloud solutions are FedRAMP compliant, meeting the highest US government security standards.

8. Sustainability Crisis: Volunteers, Burnout, and EU Support

Sustainability is the real challenge for open source: as maintainers age, EU funding for open source is a "good start" but dwarfed by the money spent on proprietary US software (29:47–32:31).
- Numbers: EU spends $264 billion/year on US IT but only allocates $2 billion over 7 years for open source support.
Buytaert argues open source is a public good, which governments should fund like infrastructure.

9. ‘Public Money, Public Code’ and the March Toward True Sovereignty

EU’s new tech sovereignty policy borrows open source rhetoric, advocating ‘open source by default’ for publicly funded software, but stops short of a strict mandate (33:43–36:00).
- Memorable Moment: Buytaert’s “sovereignty scale” for software—policy emphasis should be on code license, not company HQ.

10. The Insufficiency of ‘Buy European’ and the Power of Forking

European companies can be bought overnight, transferring legal jurisdiction (e.g., Skype, Contentful). Only open source’s forking rights offer long-term sovereignty (36:47–41:06).
- Quote: “It’s kind of like having a spare key to your own house.”
- MySQL’s fork to MariaDB (from Oracle acquisition) is cited as a case study.

11. The US CLOUD Act and the Layered Nature of Digital Dependency

U.S. law compels all domestic companies to hand over data, regardless of location—European "data sovereignty" compromised if stored on US-owned clouds (44:44–47:37).
- Even software that is locally hosted in the EU can be vulnerable if the provider is owned by a US company.
- Buytaert: Open source on a US-owned cloud can be more sovereign than European proprietary software on a European cloud, due to portability and code transparency (48:51–50:11).
The importance of assessing "switching costs"—high stakes (e.g. European Commission’s website) necessitate open source as a prerequisite.

12. Is Open Source Enough? The Defensive Position of the EU

Open source is "necessary but not sufficient" for digital sovereignty—broader policies needed: antitrust, procurement mandates, breakup of Big Tech (52:34–53:21).
- European efforts (e.g., Mistral AI, Quant search engine) still depend on US cloud and chips, highlighting the depth of dependency (53:21–55:18).

Notable Quotes & Memorable Moments

On Concentration of Power:
“Techno fascism—it’s kind of a dramatic word, but it points to something real. The challenge is the concentration of powers… a handful of billionaires… control large language models, computation, and increasingly, the information space” —Dries Buytaert [06:36]
On Auditing Algorithms:
“We need like an FDA… for algorithms… When companies like Google, through search results, can change the direction of elections… it may warrant government action.” —Dries Buytaert [08:06]
On Open Source Security:
“Linus made a statement… ‘Many eyes make bugs shallow.’ In proprietary software, maybe 10 people are looking for security problems. With open source, there could be thousands.” [23:06–24:29]
On Forking and Buying European:
“Headquarters or the jurisdiction of a company does not guarantee digital sovereignty… Skype… was European, then bought by an American company. All of a sudden, you lose a European company… That’s why ‘Buy European’ is not enough.” —Dries Buytaert [39:24–41:06]
On Funding Gaps:
“EU spends $264 billion a year on US proprietary IT. The fund for open source? $2 billion over seven years. Basically, three days of the American software bill.” —Dries Buytaert [32:31]
On True Sovereignty:
“Open source software on an American cloud provider is actually more sovereign than proprietary European software on a European data center.” —Dries Buytaert [48:51]
On EU’s Position:
“The EU is not really trying to prevent itself from becoming a digital colony. It is a digital colony. And… that’s [also] the free market liberals in the Renew group in the European Parliament who are saying that.” —Host [51:33]

Segment Timestamps

00:03–03:27: Setting the stakes—US tech’s political influence, examples of throttling global digital infrastructure, and Europe’s sovereignty response.
06:08–09:56: ‘Techno-fascism’ and the open source antidote.
09:56–17:22: Drupal’s global journey: technical philosophy, adaptability, influence of free software movement, relationship with policy change.
20:07–24:29: Open source licensing, security practices, and practical sovereignty.
25:02–29:47: Vetting, volunteer burnout, and EU's sustainability crisis.
29:47–33:03: EU open source funding gap and future vision.
33:43–36:00: ‘Public money, public code’, sovereignty infrastructure, and Buytaert’s “sovereignty scale.”
36:47–41:06: Forking in practice, and why jurisdiction isn’t everything.
44:44–50:11: The US CLOUD Act, layered sovereignty, and why switching cost matters.
52:34–53:21: Open source as a necessarily defensive (but insufficient) step for Europe.

Conclusion

Takeaway:
Open source is rising from the periphery to the center of the digital sovereignty debate in Europe. While open licensing gives Europe an "insurance policy" against hostile control and single-vendor lock-in, Buytaert argues it is not enough without substantial investment, industrial commitment, and strong digital policy. Europe is slowly awakening to its vulnerable position, but has much ground to make up if it is to create real alternatives to Big Tech hegemony and avoid digital colonial status.

For Further Information:

European Open Source Academy: europeanopensourceacademy.eu
Brussels Times podcast section: brusselstimes.com

Loading summary

Transcript119 lines

[00:03]
James Kantor
A handful of American technology companies, companies close to the US Government, provide the backbone for much of the world's digital activity, including in public services. But with the current US administration signaling a shift to autocratic government, dystopic scenarios abound about how this plays out, about how Big Tech, in exchange for contracts and favorable treatment, is reinforcing creeping authoritarianism not just in the but in Europe and even globally. There is talk of mass surveillance and social control, even an era of technofascism powered by data centers that gobble up more and more of our energy and our water. Yes, those warnings could be overdone. But the hazards stemming from Big tech's proximity to the Trump administration, they are not theoretical. Last year, the then prosecutor of the International Criminal Court, who had issued an arrest warrant for the Israeli prime minister, Benjamin Netanyahu. That prosecutor saw his Microsoft email service cut. Anthropic's frontier AI models like Mythos and Fable, which are likely critical for the safety of public infrastructure. They are being withheld by the US and digital laws like those passed in the EU to rein in companies run by Trump's backers like Elon Musk. Those laws have been rolled back under coercive pressure from Washington. It's been a rude awakening, but Europe is now doubling down on what it calls technological sovereignty to reduce dependency on China, but more immediately on the US and on its tech oligarchs. The tech sovereignty push means more EU investment in chips and data centers, incentives for European tech alternatives, and a new focus on open source software. Open source software is copyable and adaptable according to its license, and that means users can switch services pretty much when they want. Proprietary software is different. Products from the likes of Google, Microsoft and Meta cannot be copied. Plus, users often find themselves locked in and unable to switch. The interest in free and open software came of age in the 1980s and 90s, and it developed into a countercultural movement opposed to corporate computing models. But more commercially minded open source advocates have long sought to distance themselves from a perceived dogmatism and even cultishness. Now Open Source is coupling its agenda with Europe's quest for tech sovereignty, not only to stop Big Tech locking in users, but also to stop Big Tech taking advantage of Europe's dependencies. In this episode, a major figure in the world of open source, Dries Burtaert. He developed his Drupal software in Europe, but he now lives and works in Boston. Drupal runs websites for giant corporations like Airbus and Nestle, as well as for a slew of governments and organizations including the European Union. Driess lays out why open source is vital for Europe's sovereignty goals and why he's supporting a European Open Source Academy
[03:28]
Interviewer/Host
backed by the eu.
[03:30]
James Kantor
But he also pushes back against calls to buy European when it comes to software that he says misses the mark. Yes, EU states now do more screening of foreign investments. Even so, says Driess, a European software company still can be acquired overnight along with its data policies too. And for Driess, what matters more for sovereignty is the ability to switch services relatively easily to limit the damage from big tech, making capricious or systematically adversarial changes to its products. Now, making software more resilient is one thing, but an even more important vulnerability for Europe is increasingly in the cloud. That is the vast infrastructure that includes US owned data centers on which the majority of European data still sits and through which it flows. For now, the European Commission plans to let US giants Amazon, Microsoft and Google continue to handle some sensitive European data. That outcome is partly the result of fierce US lobbying, but there are also practical reasons. For example, migrating so much European data would be costly. And as Driess explains, Europe is nowhere near ready to deploy viable industrial grade open source alternatives for the cloud. Nor for AI, he says. Getting there is likely to take 10 years of hard nosed regulation and homegrown innovation. But a decade is an eternity in tech, and that may give the US the opportunity to strengthen what is already a very strong hand. A prospect that will for some make those dystopian scenarios seem not so far fetched after all.
[05:30]
Dries Buytaert
No migrants more in. No Europe without Christianity.
[05:34]
Interviewer/Host
An alliance also with Russia
[05:40]
James Kantor
welcome to EU Scream, the podcast that guides you through stories coming from the eu. We talk about the news a bit differently and with people who really know what they're talking about. I'm James Kantor. This is episode 129 with Dries Burtaert, the founder of the Drupal publishing system, which powers websites around the world using open source software.
[06:09]
Interviewer/Host
Dries Tech does have an image problem. It's increasingly seen as very reactionary, with a lot of sort of toxic masculine energy and just concern about what some people call techno fascism. This idea of algorithmic rather than democratic governance, social control rather than emancipation. How worried should we really be?
[06:36]
Dries Buytaert
Definitely a big concern. I would agree with that. I will say techno fascism. It's kind of a dramatic word and I don't know if I love that word, but it points to something real, right? I think the challenge is the concentration of powers. We basically have a handful of companies a Handful of billionaires behind these companies. And they control the large language models, they control the compute, the platforms, and increasingly the information space and misinformation, all these kinds of problems. And I think it's only getting worse, as you said or alluded to in terms of that AI will concentrate these powers even more. Yeah, it's a real challenge. And actually I think the government has a bigger role to play in this. And I think actually open source has a bigger role to play into this as well. And it's not easy to articulate what that looks like because there's so much money involved. But I think the combination of open source and government, I think there is a path because ultimately I think open source kind of builds checks and balances into the technology stack. It can also be used to distribute capabilities, to make systems more auditable. Like, why do they do what they do? How do algorithms work?
[08:04]
Interviewer/Host
And all of this is pushing against concentration.
[08:06]
Dries Buytaert
Yes, it really is. Yeah. I think open source and governments can push against it. And like for years I've been writing about this concept. It's like an American term, but we need like an fda, a Food and Drug Administration style concept for algorithms. Not everybody loves that idea. Sometimes I don't even know if I love it. But when companies like Google, through search results can change the direction of elections and that has a real impact on society, it may warrant the government having some influence on like, hey, you know what, you know, what's the impact of that? But there's so many big algorithms, AI included, that have such an impact on society.
[08:50]
Interviewer/Host
And think about the Google example. I mean, Google is now sending people to AI summaries, right? So chatbot summary. So we used to do a web search and we would get a lot of links that we would at least have the impression that we had a kind of overview of all the different informational sources there. Now we get an AI summary generated by Google, which of course can be useful, but it may mean that people don't go beyond that. So we this AI summary, this AI generated summary becomes even more a powerful source of how to change people's view of history, how to change their view of current affairs, how to change their view of science.
[09:35]
Dries Buytaert
Exactly. So it's a real problem. And I don't know what the best solution is. Like when you're in the U.S. people in the U.S. often say the U.S. innovates and Europe regulates. I'm sure you've heard this. And I'm actually finding myself also in the camp of like, all right, first Europe needs to innovate. Like, we also have to regulate, but there is, like a balance there.
[09:57]
Interviewer/Host
So your work in technology centers on Drupal. D R U P A L this is the name for the open source software you created about 25 years ago, a quarter century ago. Drupal provides the code and infrastructure used to build and run websites, as well as mobile apps and websites that appear on mobile. And also is used by some of the world's largest companies, governments and public institutions, including NASA, the United nations, the European Union institutions, parts of NATO, and at one point, the White House. What is Drupal's secret sauce? Why has it been adapted so widely over the years?
[10:43]
Dries Buytaert
One of the key things about Drupal is that when I created Drupal, I didn't design Drupal to be finished, but Drupal was designed to be changed. And what that meant is that a lot of other people could come to Drupal and make it theirs. They could add features to it, they could make changes to it, and they could mold it to whatever they needed. So in New York, the metro system, when you take a metro in New York, you have these screens, these TVs, and they say when the next metro arrives, that's actually all powered by Drupal. So they put like sensors on all their trains, they feed that data into a Drupal site and then use a Drupal site to feed all these TVs, if you will. They take the software as an incredible starting point, but then add the things that they needed to apply it to that specific use case.
[11:33]
Interviewer/Host
The first Trump White House actually dropped Drupal in December 2017. It switched to WordPress, which is another kind of website services software. The White House claimed it would save $3 million a year. Now we know to take any Trump administration claims with like a big barrel of salt. I'm just wondering. They didn't like open source born in Europe.
[12:01]
Dries Buytaert
So actually they switched from one open source project, Drupal, to WordPress, which is another open source project. The difference is that WordPress is for simpler websites, less complex websites. And I would say what happened is that during the Obama administration, the administration was very ambitious. So their website was complex. For example, they gave every American citizen a login to whitehouse.gov and they allowed citizens to petition the government was something called we the people. Actually, they called this thing a petition platform. And so I'll give you an example of what they did. So, like, American citizens could say, hey, I don't like that. When I buy a cell Phone. It actually automatically comes with a cell phone plan. It should be unbundled. And so people petitioned, and the administration, the office of the President, they said, hey, if you have X amount of votes for this petition, we will officially react.
[12:59]
Interviewer/Host
That was a direct democracy function within the Obama White House website software.
[13:05]
Dries Buytaert
Yeah. And so that's an example. And so what happened is we got the votes, the office of the President got involved, and they forced the telco companies to unbundle plans from physical cell phones. That's a great example. That had a real impact. Now, when Trump came into the administration, all of these capabilities went straight out of the window, I guess. Plus, as another example, during the Obama administration, the website was translated in multiple language, like Spanish language is an important language in the U.S. all of that got thrown away too. So now the resulting website is a simpler website and it didn't need all of the horsepower, so to speak, that came with Drupal.
[13:46]
Interviewer/Host
This is fascinating about the change in political culture that then can lead to sort of website design and what sort of software is used. And I'd also make this broader observation, and that's the extent to which the Trump administration is actually stripping government web pages of data sets related to things like dei, gender equality and climate research, while simultaneously using US Government websites to wage its own sort of partisan battles. And this shows just how easily the information environment can be weaponized, including through the kinds of products that we're talking about right now.
[14:32]
Dries Buytaert
There's a segue because the European Commission uses Drupal a lot.
[14:36]
Interviewer/Host
I knew that almost all the European institutions are using Drupal.
[14:40]
Dries Buytaert
Yeah, Europe, eu, is that.
[14:43]
Interviewer/Host
Yeah, Europe, eu, I guess, is the main domain.
[14:46]
Dries Buytaert
And some of these are examples of complex use cases like Europe, European Commission website. Obviously, a lot of content gets translated into many languages as an example. So.
[14:57]
Interviewer/Host
Yeah, Now, Dries, the name of your software, it comes from Drupal.
[15:11]
Dries Buytaert
Yeah, Drupal.
[15:12]
Interviewer/Host
Yeah, Drupal, the Dutch word for a drop of water. And that came about through a spelling mistake. I know your original project was called Dorp, which in Flemish means a village. And this village, this Dorp, was an online communication system you built for your student dormitory at the University of Antwerp that had a kind of front page where the group could post news about each other, what was going on. And when you left university, you released this to the world. So a bit like Facebook, but really not Facebook, because Mark Zuckerberg never released Facebook's core source code as open source. Facebook is proprietary code. It still is, but you did the opposite. And so was this a deliberate choice for Open Source? Was it ideological at that point? Was it convenient? Was it naive?
[16:13]
Dries Buytaert
It was a little bit of everything, to be honest. So before I started working on Drupal, so to speak, working on this message board, I had been a small contributor to the Linux kernel and I kind of fell in love with the model in Open Source. It was just very.
[16:31]
Interviewer/Host
And Linux kernel is a.
[16:33]
Dries Buytaert
It's an operating system.
[16:34]
Interviewer/Host
It's an operating system.
[16:35]
Dries Buytaert
Yeah, Linux is an open source operating system. It's sort of one of the original great Open Source projects. And so I was following what's going on with the Linux kernel. I was contributing a little bit on the edges of it and I was using Linux as a user. And so when I decided to make Drupal Open Source, I literally copied the license file from the Linux kernel tree into my website and created a zip file and uploaded it. So I was already bought into Open Source at the time. But I didn't expect again Drupal to grow to what it is today. And of course fast forward 25 years and Drupal is one of the largest Open source projects in the world. I guess what I'm trying to say is there wasn't like a master plan when I made it available. It's just kind of me having fun.
[17:23]
Interviewer/Host
That's very interesting that you say there wasn't a master plan because there's always been a really wide array of diverse users and developers and supporters of Open Source, including libertarian investors and entrepreneurs and mainstream political liberals. And now of course we have many, many governments that are backing Open Source. So how closely does your vision align with that of the folk heroes of the so called Free Software movement? And here I'm thinking of people like Richard Stallman, who is the founder of the Free Software foundation, who worked out of the MIT AI lab in the 70s and 80s. The crucial point is a non free program is an injustice. It shouldn't be developed at all. A non free program is an injustice first of all, because the developer has power over the users. They make the non free software with back doors, which are channels to allow the developer to attack the user of that program. So to use non free software is to basically invite the developer to put its foot on your neck.
[18:42]
Dries Buytaert
Yeah, I feel like I may be a little bit more pragmatic. I think some of the early free software advocates or Open Source advocates there was like a really sort of anti commercialism associated with that as well, which I don't have. I've. I deeply believe in the Four freedoms of open Source and why these are good. I believe in pro privacy, in transparency of data. I believe in all of these things. But I also believe in making money and I also believe in building commercial ecosystem. We have thousands of digital agencies, companies all around the world. I think it's great that open source can also provide a livelihood for people. So I think I would say some of the sort of die hard open source people, they have that kind of like anti commercialism or they may not be too keen on those things, but I find myself being a little bit more on the other side of that spectrum.
[19:41]
Interviewer/Host
It's a big tent Open Source. And back to Stallman. Under the Stallman model, all software derived from or forked, and this is an important term, forked derived from open source must still be available. That forked code must be made fully available so that further users can inspect it. And that is the case with Drupal.
[20:08]
Dries Buytaert
It is. So Drupal actually uses the GPL license and it's sort of the license that Stallman created. Well, what's unique about that license and not all open source licenses have this, is that it says that if you create a derivative work, if you take Drupal, you make changes to it and then if you choose to share those changes, you also have to share them under the GPL license.
[20:32]
Interviewer/Host
It's basically saying, here's the code, it's
[20:35]
Dries Buytaert
yours to use as you wish, but
[20:37]
Interviewer/Host
you need to get on board with this sharing thing as well.
[20:40]
Dries Buytaert
Use one tiny little GPL library somewhere and bam.
[20:43]
Interviewer/Host
Your entire program now has to be
[20:45]
Dries Buytaert
open source, all of it. Now it doesn't mean you have to share the code. Like you can make changes and keep them for yourself, that is totally fine. But the moment you decide to share it, it has to be shared under terms of the gp.
[20:59]
Interviewer/Host
And some companies might want to keep their software in house, for example.
[21:03]
Dries Buytaert
Yeah, so there's other licenses like the MIT license and it's more permissive and basically it allows you to make changes to the code. But then when you share those changes, you can actually change the license. And that has pros and cons. Maybe in the lens of digital sovereignty. I do think Drupal's license is a better license because like sometimes companies will change the license. They have maybe second thoughts. They say, well actually I don't want it to be open source. Or they start adding features to it. And they say, ah, actually we don't want those new features to be available as open source. And this has happened.
[21:39]
Interviewer/Host
How might using proprietary and Hidden code actually be a less safe option than freely available open source code. A lot of people find this highly counterintuitive.
[21:54]
Dries Buytaert
It is counterintuitive. It's actually a little bit scary sometimes for organizations because the first thing that these licenses do, they disclaim any warranty. They say use at your own risk. Now if you're a company that's like, well that's a little bit scary. So the difference between, I think typically the difference between a small open source project and a large successful open source project is that the large open source projects have taken on additional responsibility. That's not strictly required by the license. And so in the case of Drupal it means we said, hey, actually we want to do better than the license actually specifies. We want to have a security team, we want to do long term supported releases. And so we built these additional responsibilities on top of the license so you can look at the license alone. But I think it's also useful to look at the other commitments an open source project makes. Now there's a saying and actually between quotes, a law, it's called Linus law. And Linus is the founder of Linux.
[23:01]
Interviewer/Host
Linus Torvalds.
[23:02]
Dries Buytaert
Yeah, Linus Torvalds, he's the founder of
[23:04]
Interviewer/Host
Linux and he was his Finnish.
[23:06]
Dries Buytaert
Linus made a statement once that was along the lines of many eyes makes bugs shallow. And it's interesting concept because he argues that because the software is open source, everybody can look at the source code and if it's used by hundreds of thousands of organizations, they're all going to look at the source code and they're going to find security bugs versus maybe in a proprietary software company where you have 10 people looking for security problems. And I can make that real. So in the case of Drupal, like all of these big mission critical government websites in Europe, Nasdaq with financial statements, there are sensitivities there. So security matters a great deal for them. And the list goes on and on. A lot of these companies do deep security audits of Drupal. So imagine tens of thousands of mission critical websites, all of these organizations doing security scans, pen testing, trying to find bugs in order to protect themselves. But then also when they do find a security problem, many, most of them have the instinct to contribute back the fix. They'll report that there is a problem, that they found something, and they'll work together with our security team to get these things fixed. And so this is why many eyes can actually make bugs shallow.
[24:29]
Interviewer/Host
But open source developers and maintainers are everywhere in the world. So what if like a Russian state sponsored developer or a Chinese one spent a couple years say building credibility in the Drupal community before inserting like a subtle vulnerability? At what point does accepting contributions from developers in adversarial states become a liability? Is there a need for any vetting?
[25:03]
Dries Buytaert
Well, we do extreme vetting, so I would say we do more vetting than most proprietary software companies. I'll give you a quick example. Like in most software companies, an engineer making a change will commit to change. Best case scenario, there's maybe one other person in that company that will look at the changes made by that engineer and then it gets committed to the next version of the software. In the Drupal scenario, every change often has 20 or so people looking at it. Because we do everything in the open and our governance model, the way we work requires sign offs from multiple people before actually a change makes it into Drupal. So this is the thing that people don't know about open source and about
[25:45]
Interviewer/Host
mature open source security seems especially relevant in light of all the hype around Mythos, this newish AI model from the US company Anthropic, which says that Mythos outperforms humans at hacking, at tearing apart cybersecurity. And it's also relevant in light of how China and Russia also are very sophisticated open source users.
[26:10]
Dries Buytaert
Yeah, we have governance, we have a dedicated team and more than 20 people. Like one of our products is a cloud hosting solution for Drupal. We're one of very few companies that are FedRAMP compliant and you may not know what Fedramp is, but it's in the US Government. It's the highest level of security requirements and it's very, very hard to achieve.
[26:33]
Interviewer/Host
FedRamp was created to allow reciprocity. Cloud service providers can have their products, the cloud service offering evaluated once and that same evaluation leverage by multiple agencies. Or simply put, FedRAMP enables the model
[26:47]
Dries Buytaert
of assess once, report many. And it's what you need basically to run websites like WhiteHouse.gov, like, you know, basically certain websites in the U.S. government that they consider mission critical. If they were hacked, if they were to go down, it could cause kind of, you know, mayhem I guess. And you can only host those kinds of websites if you're Fedramp compliant.
[27:11]
Interviewer/Host
I do think that we are going to see this kind of backlash a little bit from proprietary users who will,
[27:17]
Dries Buytaert
they're going to fight back, who are
[27:18]
Interviewer/Host
going to say, you know, unsafe and you know, a bunch of people with funny looking hair but actually around open Source.
[27:26]
Dries Buytaert
And like it's really misunderstood.
[27:38]
Interviewer/Host
Dries, almost all big tech companies benefit from the open source ecosystem without really giving back. You know, at the same time you have this big global, mostly volunteer community doing bug fixes and mission critical updates for open source, this is grueling work. But this work, again, much of it, quite a lot of it by volunteers, actually ends up subsidizing the code base that the metas and the Amazons and so on depend on. Meta, for example, uses open source to build its products and then makes those products mostly proprietary. Even its famous Llama large language model, which it says is open source, is actually proprietary. At the end of the day, the reality is that these volunteers, some of whom might be very idealistic about tech, probably end up supporting proprietary software. And that sort of seems iniquitous.
[28:32]
Dries Buytaert
Yes, I know. I think when you get involved with open source, you should take the time to understand what you're signing up for. Like if you understand the license of the project that you're going to get involved in, you can then see like, could commercial companies like Ameda use my contributions? And it's not like we're pulling the rug underneath them. Like this is actually what the license allows you to do or not allows you to do. So I think as a contributor you also have a responsibility to decide if you want to support that or not.
[29:06]
Interviewer/Host
Either way, this maintaining of open source code is very taxing and very tiring work. And we've already seen lapses in bug fixes and vulnerabilities having a scary impact on our systems when they do fail or they get hacked. To make matters even more complicated, the original maintainer generation, these are the original volunteers who are involved in the open source community. They're getting older, they are aging, and there's some impetus to train the next generation. That's some of the thinking behind the European Open Source Academy, which is part funded by the eu. Right. And you're sort of part of that initiative as well.
[29:47]
Dries Buytaert
The reason I've gotten involved with the academy is because I feel like we're at this important time in history for Open source. I think of it as like this open source moment. And the goal is really to help educate, I think, policymakers, because Open source, I mean, they're not necessarily technologists, they didn't necessarily grew up with open source. And so we can help them because there's a lot of different parties pushing and pulling here. And I actually do believe that open Source is the only path to real digital sovereignty. And I think Open source as a technology has kind of won. Like I think we've shown that through the open source model you can build superior technology or technology that's on par with commercial software. And you see that because every proprietary software company actually, like you said, uses Open source under the hood. Like there's been studies and it's like 96% or something of all technology companies are actually using Open source. So open source is one in that sense where the challenge is in the sustainability of open source so that you can actually pay maintainers to do the hard work of maintaining the Open source software. Fifteen years ago I kind of made this prediction that Open Source would evolve from volunteer driven to commercially driven to basically supported by governments. And I made that prediction after I realized that open source is a public good and then looking at how other public goods in the world have evolved. So an example would be the road system, schools. Again, same thing with the military. Went from like volunteer driven to, you know, militia commercial, where you pay people to protect villages or now governments are obviously involved. So I kind of predicted that Open Source would follow the same path. And like, you know, many of us, or many open source projects, Linux created by Linus Drupal, created by, we were born out of volunteer hobbyist efforts. But now in the last few years, especially in light of some of the geopolitical tensions, governments are starting to wake up and they say, whoa, actually we use open source everywhere and it's actually pretty important now for critical citizen services and all of these things. And so maybe we need to get involved.
[32:19]
Interviewer/Host
You've written that the EU's proposed funding for open source, including for this kind of maintenance work, this maintaining of the code is nowhere near enough.
[32:31]
Dries Buytaert
Yeah, actually they quote this number that the European economy, so that's the economy more broadly, spends $264 billion a year on U.S. proprietary IT. And the fund that they're going to create to help support Open source in Europe, they're basically committing $2 billion over seven years. So if you compare these two numbers, it's basically three days of the American software bill. It's a good start, but it's still a stark contrast, let's say.
[33:04]
Interviewer/Host
And you conclude that the EU is not yet funding Open source, like sovereignty infrastructure. You use that expression sovereignty infrastructure. And that's a pointed criticism because a key policy right now for the EU is this idea of technological sovereignty. Sovereignty mainly from the United States, but also China. But There is this EU tech sovereignty package that was presented June 2026 and there was an accompanying open Source strategy. What is the significance of this step?
[33:43]
Dries Buytaert
They also adopted some of the language that we have been using for a while in Open source, which is public money, public code. And the idea is very simple. Like if the government uses tax dollars to develop custom software, that software should belong to the taxpayers. So that means the software should be open source. Like why would we take money from taxpayers, people like you and I, and then fund proprietary software that we can use? They are saying that by default, research funding should lead to open source, which is kind of the same concept. And they also said that they would have an open source first principle in procurement. Now that's great, but it's not requiring open source, which is not so great still. And I think for certain mission critical things, Open Source would be important. So yeah, when this package came out, I think it was June 3rd, so just recently I immediately started reading it. And actually one thing that put a smile on my face is one of the blog posts that I wrote was actually in one of the footnotes and it was about the sovereignty scale. I proposed a scale a little bit like when you buy food in Belgium or in Europe, there's like this A, B, C, D, E score on it. I propose something similar, like where you can look at a piece of software and then you get like a rating for how sovereign it is. And they actually, in a footnote, I should say they quoted this as something to maybe explore further, but maybe most importantly was the overall reframe. Because the old argument for Open Source was always about saving money. And now when you read the report, it was clearly about freedom of action and it's clearly about treating Open Source as infrastructure that needs to be sustained with investment, not like software that magically maintains itself. And so the tech sovereignty package mentions open source 300 times. So open Source has really gone from like a footnote to taking the central stage.
[36:00]
Interviewer/Host
And the key factor here is this drive for sovereignty that organizations relying on Open Source or on a vendor of Open Source, they sort of have an insurance policy that if that vendor is acquired by a US company, the underlying software can be forked. So we go back to that concept of forking. Forked meaning again, essentially the same software can be duplicated and further developed independently. Right. And in this world where we suddenly have more adversarial relations with some of our old trading partners, that idea of that insurance policy seems to be one that Europe is now embracing when it comes to software.
[36:47]
Dries Buytaert
Yeah, exactly. Like, yeah, fork means that you can take the code, copy it, and basically make it your Own without having to rely on maybe like the vendor that provided the code. It's like in the most simple term, it's kind of like having a spare key to your own house. Like you invested all of this money in building a house, but imagine you only have one key and if you lose the key you can ever get in. Like it's like that, you know, it gives you a spare key and obviously you hope that you never have to use a spare key. But it's good to have one in case something changes with the vendor. You know, maybe they misbehave, maybe they get acquired, maybe politics or pricing. And so it's a legal right really to copy the code, just keep going with it. There's actually a couple of examples of where this was very useful. So MySQL, which is one of the most prominent open source databases, they were bought by sun in 2010 and then sun was bought by Oracle, one of the largest technology companies. And the community immediately forked MySQL into MariaDB and that meant that many, many organizations in the world could just keep using an open source version of that database.
[38:03]
Interviewer/Host
And was MySQL originally European?
[38:05]
Dries Buytaert
It was originally European as well, yeah.
[38:08]
Interviewer/Host
In this sense, open source is a structural check on the power of any single actor, including hostile state actors, to trap users into having to accept that kind of control over their software.
[38:24]
Dries Buytaert
Yeah, it basically gives you leverage as a government and it means that you can't be held hostage, if you will, you know, the technology cannot be held hostage, you cannot be held hostage, you can keep doing what you're doing.
[38:38]
Interviewer/Host
So forking means you can in principle move to a purely European solution if you wish to. But Dries, what do you make of the idea of making everything European? This is what is behind calls, for example for a so called Eurostack, a stack in tech being a way of describing the overall collection of software systems that are used together to get work done. So a Eurostack would be a collection of European alternatives in AI, cloud and cybersecurity and so on and so forth. Do you think that these Europe only policies like eurostack would be some kind of path to meaningful sovereignty? And if not, why not?
[39:25]
Dries Buytaert
Yeah, I think it's actually flawed. There's this concept of buy European and I think if you're talking about true digital sovereignty, it's a flawed idea. Now don't get me wrong, I think it's great to invest in European companies, it's good for the industry and what have you. If you actually look at it through the lens of digital sovereignty. It's not enough because the headquarters or the jurisdiction of a company does not guarantee digital sovereignty. Because what can happen in a single board meeting is that a European software company can be bought by an American company and immediately you lose control as Europe. And this has happened with Skype, for example. Skype was 100% European software company, a great success story. EBay bought them, an American company bought them, and then Microsoft bought eBay later. And all of a sudden, literally in one board meeting, you lose a European company. And when a company becomes an American company, American law applies. Most recently, one of the flagship European content management systems, a company called Contentful, was bought by Salesforce. And Contentful is used by governments, you
[40:43]
Interviewer/Host
know, and Salesforce is an American and
[40:46]
Dries Buytaert
is an American company, like Contentful is a German company headquartered in Berlin. And once that deal closes, they'll be subject to U.S. law. And that has all kinds of implications. And that's why BI European is not enough, because it's not a durable property of a company. It can literally just change. And you don't have that with open source.
[41:07]
Interviewer/Host
This goes back to some of the great thinkers when it comes to code and software. That code is somehow more powerful and more durable, terrible than some of the other standard ways of looking at the way the economy and political economy operates. Lawrence Lessig comes to mind.
[41:25]
Dries Buytaert
Exactly. And that's why I'm also speaking up, because I think I see policymakers, they put too much emphasis on the location of the headquarter and not enough emphasis on the license. And one of the things that I've been sort of of hammering on my blog and is like, well, actually you should put a lot more emphasis on the license of software and almost no emphasis on jurisdiction. And that's what this digital sovereignty scale is that I published. So at the very bottom, like a, D or whatever, is American proprietary software. One notch up above it is European proprietary software. But it's only a little bit better because of what we just talked about. And then the three layers above it, C, B and A are different flavors of open source. That's actually the hard part. That's where it starts. I can imagine for a policymaker to say bi European is not necessarily. I think both can be true. We can still invest in European software, but for certain things, bi European is not the right thing. That's a tough thing to say, but
[42:37]
Interviewer/Host
it starts by being radically candid. Yeah, I mean, I think some people would say, well, Driese is now based in Boston, so he would say that, you know, there might be cynics who would say, well, I would say, but
[42:48]
Dries Buytaert
I'm also talking against my own business. Like it's weird for my colleagues in the US that I'm here, like saying, hey, don't buy American. You know, like I have an American company. Like I'm actually coming from, you know, like my truth as an individual, this is not promoting Acquia. You know what I mean? I'm promoting Drupal. Yeah, but we have a lot of European customers, so it's interesting that way.
[43:18]
Interviewer/Host
And then a lot of the people who may not like or on social media who may not like or share your posts, I suppose if they're also in software, they maybe have very complex relationships with American providers. And so they're worried about that.
[43:33]
Dries Buytaert
Yeah, exactly. It's complex.
[43:43]
Interviewer/Host
We're speaking in Flanders in Belgium where you come from. But nowadays you spend a lot of your time in the US.
[43:51]
Dries Buytaert
That's right. I moved to the US 2010 because I started Acquia. It's a company born out of Drupal. We provide Drupal products and services and company was really taking off and so I decided to move to the U.S. i've been living in the U.S. for like 16 years.
[44:08]
Interviewer/Host
It's a sizable and important software vendor. And in 2019, Vista Equity Partners, a Texas based private equity firm took a majority stake. This was a stake valuing Acquia at a billion dollars.
[44:21]
Dries Buytaert
It was valuing Acquia at a billion dollars. Yeah.
[44:25]
Interviewer/Host
And what is Vista's, I mean their private equity partners. So what do we know about their strategy?
[44:32]
Dries Buytaert
We don't really know yet. What's going to happen with Acquia? We're not really thinking about that right now.
[44:37]
Interviewer/Host
You're still thinking about being in the private equity investor space in a way for Acquia rather than having an initial public offering or going onto the market.
[44:47]
Dries Buytaert
Yeah, we're not really thinking about ipo. And we did think about it sort of eight or nine years into the company. Like, like, because honestly most companies when they IPO, at least at the time, you know, you're around 100 million in annual revenue and growing at a certain speed. And we check those boxes now, we're like at least three times bigger. And so like we're big enough to ipo, but there's pros and cons to being a public company, the quarterly pressures, you know, all of these things. And we really. And people IPO companies IPO because they need access to the capital markets. They. Because it allows them to raise money from the public, but we don't have a need to raise money from the public. So if you put all of these things together, just the pros and the cons don't lead to like, basically going public.
[45:36]
Interviewer/Host
But going public is not off the cards. I mean, it could happen at some point.
[45:40]
Dries Buytaert
It could happen at some point, but it's not something that we're pursuing right now.
[45:44]
Interviewer/Host
Sadris, you basically want us to accept that software that's open source, the ability to fork the code is the best guarantee of sovereignty, Correct? Okay, but there is something called the U.S. cloud act, the Clarifying Lawful Overseas Use of Data act. This is US legislation that came into force in 2018 with bipartisan support. Actually, the key point is that it allows U.S. authorities to compel U.S. technology providers to hand over data, regardless of where in the world that data is physically stored. Long story short, even EU resident data held by US Companies can be accessed by a US warrant. And that's also a profound sovereignty and privacy problem for Europeans who are so heavily dependent on US Tech infrastructure. Now, now here's what I want to get to. In this sense, a hostile US need not attack the underlying or by the vendor of the underlying open source software at all. It just needs to lean on the cloud providers to withdraw their services. Right?
[47:01]
Dries Buytaert
That's right. It's like they have a kill switch. They can get your data if they really wanted to. They could actually turn off access to the software as well. And that's a problem. And, and this is what happens when a European company changes owners to an American software company. And by the way, all the data centers could stay in Europe, all the employees could stay in Europe. Nothing could change except ownership. Right. And even so, what you just said applies all of a sudden to existing European software companies.
[47:37]
Interviewer/Host
And a big concern in this technological sovereignty package, and I wonder if you share this concern, is that the European Commission proposals actually left the door open somewhat to US Cloud providers like Amazon or Amazon, aws, Google and Microsoft continuing to handle sensitive European data. In other words, the proposed framework still permits these US Platforms to win sensitive contracts. Does that kind of undermine your previous argument that the code itself is the safeguard, when in fact the data can still fall under your jurisdiction?
[48:21]
Dries Buytaert
I don't know if it undermines it, but I do think there's like, layers, and we have to think about each of the layers separately. So I've been very focused on the software layer, the application layer. But yes, we also need to talk about that cloud layer. And if you want true 100% digital sovereignty. You need both to be truly sovereign. Right. And so, yeah, you have to work
[48:43]
Interviewer/Host
every layer of the stack and the cloud layer. It does seem to me that there is a kind of buy European, locate European argument there as well, for sure.
[48:52]
Dries Buytaert
And there should be, because it's good to have your cloud in Europe if you have sensitive data on it. But again, these cloud providers can also be bought by American or Chinese or whatever, software companies or private equity companies. And then what do you do? And I think that's where open source matters a great deal. I made a statement once which made a lot of people kind of go like, huh? And I said open source software on an American cloud provider is actually more sovereign than proprietary European software on a European data center. Probably takes a little bit of time to think through that. And the reason I said that is because if you have open source software on an American data center, let's say you're actually in charge of the data in the software. You can move it anytime you want, anytime you feel like you can make backups, like you're still in control, like you have to decide, do I want to live with that potential of the American government taking my data, by the way, they can just take it.
[50:03]
Interviewer/Host
I think they need a warrant.
[50:04]
Dries Buytaert
They need a warrant. There's some legal steps before they can, you know, take your data.
[50:12]
Interviewer/Host
But we know that they do it. I mean, there was a big court case over whether Microsoft in Ireland needed to hand over data that was held there.
[50:21]
Dries Buytaert
That's right.
[50:22]
Interviewer/Host
And in fact, that is why the US Cloud act was passed. It was to resolve that case.
[50:28]
Dries Buytaert
Exactly. And actually Congress stepped in and they said, we're not going to wait for this lawsuit to play out. We're going to tell them that, yes, we can take their data.
[50:37]
Interviewer/Host
Yeah. The Supreme Court didn't even have to rule on it.
[50:39]
Dries Buytaert
Right. Yeah. So it's very interesting. Now we also know it's very rare. Right. Like there is an example, or maybe there's a couple of examples. And by the way, I also think we need to make a distinction between important or critical software and maybe non critical software, because we have to ask ourselves, what is the switching cost? And for some software, the switching cost is low and maybe then it's okay to go with a proprietary European solution, but we can take some risk. If you will, in a week or so, we can switch everything over. But if the switching cost is very high, like you mentioned, maybe the website of the European Commission, like that would take maybe years to switch. Like we need to be way more thoughtful. And then open source actually needs to become a prerequisite. Like it just needs to become a gate. It needs to be open source whenever these kinds of big decisions are made,
[51:34]
Interviewer/Host
including about cloud providers. Yes, to me, open source it seems like a necessary but insufficient condition for any viable democratic pushback against what some would call techno fascism, but others would call just a very high concentration of tech bros and billionaires with some pretty kooky ideas. They already have so much power. The AI giants are already operating as de facto extensions of US power. They're almost like state actors. The EU is not really trying to prevent itself at the moment from becoming a digital colony. It is a digital colony. And that's not just me saying that. That's the free market liberals in the Renew group in the European Parliament who are saying that. So in this sense, aren't even the best open source policies just a bit defensive at the moment?
[52:35]
Dries Buytaert
It's not enough on its own, so I think it's a necessary step, but it's not enough on its own.
[52:42]
Interviewer/Host
And it does get us onto what's really needed, which might be robust antitrust enforcement, tougher trade laws, real public procurement mandates. So there's not this wiggle room to still not have non open source winning sensitive contracts. An international digital rights framework. I think that's one that a lot of people talk about. But then there's this other one which is break up Big Tech. This is what we hear a lot about, Break up Big Tech that may become a much more mainstream idea. What's your betting on that?
[53:22]
Dries Buytaert
So it may help to do all of these things that you just said and break up Big tech and regulate more, but it does feel a little bit defeatist. I feel there's a real race going on and only the US and China are truly playing. Talking about AI. All of the AI players are basically American companies or Chinese companies. And yes, we have Mistral in Europe, but my understanding of Mistral is like at Boeing back in the. I don't know when it was, when the French government said, hey, we can't just rely on American plates for everything, so we're gonna. They created Airbus, by the way, a Drupal user. Airbus was like heavily funded by French government and it was a success. Right now there's another credible player for aircrafts. And Mistral is kind of the same idea, heavily funded by French government to create a counterweight to OpenAI and Anthropic and some of the Chinese platforms. The irony is they immediately had to go to Nvidia for chips and they had to go to Microsoft for Azure. And so this idea of let's fund a European alternative in the AI space is still today, in fairness, heavily dependent on US software companies. And I think that's going to change.
[54:47]
Interviewer/Host
The underpinning of Mistral still relies on, on these American providers.
[54:53]
Dries Buytaert
Yes. And that shows you the problem that Europe has.
[54:56]
Interviewer/Host
I think, I think this Quant search engine, for example, that the European Parliament has adopted so that it makes headlines quite recently, that the European Parliament is now going to have people use Quant, which is a European product, rather than Google Search. But then when you look at Quant, I think it was actually being powered by Bing, which is a Microsoft.
[55:18]
Dries Buytaert
Yes, it happens. And I think it goes to show that Europe is so underinvested in some of these technologies and we can do all of these things in Europe, but what really needs to happen is we need to get in the race. We need to do whatever it takes to get in the race. And we can use defensive techniques to slow them down or, you know, protect our citizens. And we should probably do all of these things in Europe, but most importantly, we need to get in the game and we are coming from behind. So that means, like, you have to make the right moves to actually first catch up and then, you know, actually be in the race.
[56:07]
James Kantor
That's it for this episode. It was made in partnership with the European Open Source Academy, which advocates for public recognition of open source software and hardware. You can check out their work at EuropeanopSource Academy. EU scream is non profit journalism and is produced in association with the Brussels Times. It's your feedback and support that helps us delve into this new, darker era in our politics, into how the EU should be responding, and into the thoughts and experience of people who really know what they're talking about. Small donations to large ones, that's all incredibly appreciated. It also helps when we get a five star rating at Spotify or a review at Apple. Podcasts and passing on episodes to family, colleagues and friends, that's yet another great
[56:59]
Interviewer/Host
way to show support. Support.
[57:01]
James Kantor
For more details and for more EU scream, do please visit Brusselstimes.com and look for the podcast. Thanks for listening.