Over the last few years, more European companies have started talking about OSPOs, Open Source Program Offices. But the question I keep hearing is still a very basic one: what are they actually for?
From a European perspective, I think the answer is shifting. OSPOs are no longer just about license compliance or legal guardrails. They are becoming a key part of how companies approach digital sovereignty in a practical way.
And digital sovereignty does not mean avoiding proprietary software or cutting ties with the US. It means something much more grounded. Having control over your data. Understanding the code you depend on. Knowing where your data lives, how it is processed, and whether you can move or exit if you need to.
In that sense, an OSPO has two jobs at the same time. One is strategic. Helping the company choose technologies that align with privacy, transparency, and long term resilience. The other is very hands on. Working with developers, supporting open source usage, and building real relationships with communities inside and outside the company.
One challenge I see in Europe is that we simply do not have many mature OSPOs yet. Even fewer people have learned how to run one well. Add increasing regulation around data and AI, and there is a real risk that OSPOs become purely legal functions instead of enablers.
So I am curious how others see this.
If you work with or around an OSPO today:
-
What does it actually spend most of its time on?
-
Is digital sovereignty a real goal, or just a buzzword?
-
And what would need to change for OSPOs to really enable companies instead of slowing them down?
I wrote a longer piece on this topic here, where I share my 2026 perspective and some early examples from Europe:
David Peter Hirsch | Community Ecosystem Senior Manager
Looking forward to your thoughts.