18/11/2025 –, Main Room
Today, a timely and critical debate is emerging on Governments’ role in governing free and open-source software (FOSS) cybersecurity. Often, they have centred FOSS as a tool for ‘digital sovereignty,’ driving competition, innovation and interoperability. Budgets, policies and regulations are shifting, whether mainstreaming FOSS or institutional experimentation. China has embedded FOSS within its Five-Year Plan. The EU’s Cyber Resilience Act introduces the novel category of ‘FOSS stewards.’ Highlighting the successes of Germany’s Sovereign Tech Agency, advocates seek an EU-wide fund for FOSS maintenance.
The political, economic and social case for public investment in FOSS maintenance, including for cybersecurity reasons, is obvious. FOSS is ubiquitous and, unsurprisingly, the world’s most widespread and serious cybersecurity incidents have arisen from its vulnerabilities (e.g. Log4j, HeartBleed). Without action, a ‘tragedy of the digital commons’ persists.
Instead, what attracts more controversy are legal and policy regulations beyond fiscal support, where different restrictions and requirements are potentially imposed upon FOSS contributors. FOSS’ open and collaborative nature means that divergent domestic and regional approaches may risk its fragmentation and, thereby, even prove counterproductive for the pursuit of (perceived) sovereign interest.
Encouraging an evidence-based approach for policy development and digital diplomacy, this article undertakes a ‘big picture’ comparative analysis of FOSS cybersecurity policy and regulation from the EU, China and USA. Firstly, it charts motivating principles and rhetoric behind their embrace (or lack thereof) of FOSS cybersecurity, encompassing their respective approaches as rights and consumer protection driven, State controlled and market-based. Secondly, it compares key structures, features and tools of those major powers’ cybersecurity policies and regulations involving FOSS, to evaluate compatibility. Finally, it offers reflections, for the FOSS community and policymakers alike, on different avenues for building bridges between regulatory islands as they navigate these uncertain times.
Today, a timely and critical debate is emerging on governments’ role in governing free and open-source software (FOSS) cybersecurity. Often, they have centred FOSS as a tool for ‘digital sovereignty,’ driving competition, innovation and interoperability. Budgets, policies and regulations are shifting, whether mainstreaming FOSS or institutional experimentation. China has embedded FOSS within its Five-Year Plan. The EU’s Cyber Resilience Act introduces the novel category of ‘FOSS stewards.’ Highlighting the successes of Germany’s Sovereign Tech Agency, advocates seek an EU-wide fund for FOSS maintenance.
Encouraging an evidence-based approach for policy development and digital diplomacy, this ongoing research undertakes a ‘big picture’ comparative analysis of FOSS cybersecurity policy and regulation from the EU, China, and the USA. The paper charts motivating principles and rhetoric behind their embrace (or lack thereof) of FOSS cybersecurity, encompassing their respective approaches as rights and consumer protection-driven, state-controlled, and market-based. It also compares key structures, features, and tools of those major powers’ cybersecurity policies and regulations involving FOSS, to evaluate compatibility.
Jennifer is an independent legal consultant and PhD Candidate (International Law x Computer Science) at the University of Cambridge as a World Ramsay Scholar. She researches global governance of open-source software. An experienced Australian public international lawyer, she has advised on a broad range of matters at the intersection of technology, human rights and policy, including for public and private sectors. She has worked as Senior Legal Advisor to the UN Special Rapporteur on Freedom of Religion or Belief, for leading international law firms and served on the International Law Association’s Global Board. Jennifer holds a LLM and BA/LLB (Hons.).