· 2 min read

You do not need an Open Source Program Office.

Every digital sovereignty talk ends the same way: set up an OSPO, and the idea gets filed under someday. But the office is not the point. It is a container for the jobs your vendor used to do, priced into the license fee and now yours to own. Name who owns them and you are ahead of most.

You do not need an Open Source Program Office.
You don’t need an Open Source Program Office (OSPO). You need the jobs it owns.

You need what it does.

Almost every discussion on digital sovereignty ends the same way: set up an OSPO. Every decision-maker hears the same thing. A whole department? Headcount, budget, a mandate I will never get signed off. They file it under someday.

The office is where it ends, not where it starts. Sovereignty is not a label or a suite you buy. It is the question: when the vendor is gone, who runs the technology you depend on?

When you leave a proprietary vendor, you are not swapping one product for another. You inherit the jobs that vendor quietly did for you, priced into the license fee. I count three.

Someone has to decide what is allowed in the building, and what you standardize on. That used to be the vendor's roadmap. Now it is a choice you own.

Someone has to keep you legal: checking no component's license forces your code open or lands you in court. The vendor's contract covered that. Now it sits with whoever builds it.

And someone has to keep it running and secure: watching for holes, patching them before they are exploited. Now that fix is yours to place, or a partner you choose.

That is the OSPO, unpacked. It is a container. The three jobs are the content.

You can skip the office. You cannot skip the jobs. Leave them unowned and they do not vanish; they sit in a blind spot.

None of this is only about software. The same three jobs run through every layer you depend on: your data, your infrastructure, the people who log in. Different layers, one set of jobs.

Then there is a fourth, the one almost everyone misses.

This transition was never just you consuming a product. It is you joining an ecosystem your sovereignty rests on, maintained by people you will never meet, many unpaid.

If everyone only takes, the projects everyone depends on slowly rot. That is a security problem, not a charity one.

Contributing back, sponsoring a maintainer, reporting a bug: this is not idealism. It keeps the foundation standing, and it buys you something no proprietary vendor sells: a hand in shaping the tools you run on.

The jobs are the same everywhere. How you do them is not: what fits five people will not fit five thousand. Sovereignty is a path you learn, not a template you copy.

Naming the owner is only the start. The technology is the easy half; moving people to new ways of working is the rest.

I advise public and private organizations, and this is the debate I keep having. It stays stuck on the office, while nobody owns the details underneath. The office is rarely what they need first. Knowing who owns the work almost always is.

Before you ask whether you need an OSPO, answer the smaller questions. When the technology your business runs on breaks on a quiet weekend, whose job is it? When a new component comes in, who owns the license? If you can name the person, you are ahead of most organizations. If you cannot, that is the gap no department label will close for you.

Read next