When the European Commission set out its Technological Sovereignty Package in June 2026, it did two things at once. It proposed the Cloud and AI Development Act (CADA), which grades cloud and AI services by sovereignty level and steers sensitive public-sector workloads towards providers that keep data under European control. And alongside it, in the same package, it published an EU Open Source Strategy that puts open source at the centre of how Europe expects to win that control back.
The message looks simple: open source is the recommended route to sovereignty. The Commission is making a sound recommendation. Open source can deliver genuine sovereignty—but comes with costs that are easy to overlook.
What open source really means
Let us be clear about what open source gets right, because the case for choosing a platform only holds if it is honest about the alternative.
A self-hosted open-source stack, run on infrastructure you control, under European law, with no foreign operator in the path, is genuinely sovereign. The licence is free. The code is inspectable. There is no vendor who can change the terms at renewal, because there is no vendor. For an organisation with the engineering depth to run it, that is a real and defensible answer to the sovereignty question.
The open source model is not what puts compliance at risk. It is the economic model that open source technologies require to yield predictable audit results. A lean team without access to enterprise-level resources and expertise will face serious challenges facing audits with an open source security stack.
Open source burdens lean teams in three ways
Most regulated security teams in the European mid-market are small. Often fewer than ten people. In a municipality, sometimes two or three. They already carry monitoring, investigation, reporting, and evidence across fragmented systems. Open source asks them to carry three more things.
1. The stack you build is the stack you maintain
A free licence is not a free platform. Someone has to build the pipeline, tune the detections, patch the components, manage the upgrades, and keep the whole thing running on the night an incident lands. That someone is your team. The cost did not disappear; it moved from a line item to a headcount request. The Commission's own strategy lists maintenance and scaling as the ecosystem's hardest unsolved problems — and a lean team inherits that problem in full.
2. Having control is not the same as proving it
Sovereignty under CADA and NIS2 is not only about where your data sits. It is about whether you can show who accessed what, when, under what authorisation, and within which jurisdiction. A self-built stack can hold that evidence. But assembling it into something defensible, consistently, across components you have wired together yourself, is complex work. That work falls on the same small team, usually at the worst possible moment. Control you cannot evidence quickly is control you cannot stand behind.
3. A sovereign choice has to survive personnel changes
Most open stack that lean teams run today depend on the one engineer who built it. When they leave, that knowledge leaves with them. When traffic spikes, the tuning has to keep pace. When the budget round comes, the maintenance effort has to be defended without the predictability a contract gives you. Free at the point of licensing can become expensive, and fragile, at exactly the point you most need it to hold.
The true cost of open source is reflected in headcount
Open source removes the licence fee, but it does not remove the work. Public sector bodies like transport authorities, healthcare institutions, and municipal IT departments have to delegate that work to people on the payroll. The cost does not disappear when the licence does. It moves from a line item your finance team can plan around to a headcount your HR team has to fill.
That distinction is critical in the public sector because public bodies often find security engineers hard to hire and harder to retain. You compete for the same scarce talent as banks and software firms, but rarely at an advantage.
Here is what a realistic three-year picture looks like for a mid-sized public sector entity with a lean security team and strict compliance obligations under NIS2. It chooses a self-built open-source SIEM — a Wazuh or OpenSearch-based stack, for example — running on infrastructure it already operates.
- Software licence: €0. It's true that open source carries no licensing fee, which is the single strongest benefit it offers.
- The platform still has to be built, tuned, patched, upgraded, and run. This is continuous engineering work, not a one-off implementation cost.
- Headcount required: at least one full-time engineer, plus backup. You need one full-time engineer to build and operate the stack, and a trained backup so the whole system does not rest on a single person. In practical terms, the minimum a public body can depend on is equal to 1.5 full-time engineers.
- Salary basis: €81,500 gross per year for a mid-to-senior security engineer with SIEM skills, conservatively calculated from Optima Europe's 2026 European cybersecurity salary benchmark. Public bodies often have to match this market rate or pay contractor day rates above it to ensure the role is filled.
- Employer on-costs: +30%, covering social contributions and benefits, for a fully loaded cost of €105,950 per engineer per year. This too is conservative — it leaves out recruitment, tooling, training, and management overhead.
The three-year calculation
A loaded cost per engineer of €105,950 per year multiplied by 1.5 engineers leads to the following three-year total cost of ownership:
| Cost line | Year 1 | Year 2 | Year 3 | Three-year total |
|---|---|---|---|---|
| Software licence | €0 | €0 | €0 | €0 |
| Platform engineering (1.5 FTE at €105,950) | €158,925 | €158,925 | €158,925 | €476,775 |
| Total | €158,925 | €158,925 | €158,925 | €476,775 |
The free licence holds for all three years. The platform behind it costs €476,775 over the same period — and every euro of that is salary.
That total moves with the headcount, not the licence. A single engineer brings it down to €317,850 over three years, but creates significant risk as the entire platform relies on one person. Achieving proper redundancy with two full-time engineers takes it to €635,700.
Importantly, this is an abstract interpretation of real-world costs. It excludes the costs of heavy build efforts in the first year, salary inflation across the term, and the cost of the post sitting empty. Many organisations spend months trying to recruit security engineering talent; someone must still keep the stack running during that time.
The real question CADA asks is who carries the weight
CADA defines sovereignty requirements for regulated organisations, but the problem is not choosing between open source and a platform vendor — both routes can be sovereign. The problem is choosing whether your lean team carries the build, the proof, and the durability themselves, or whether a platform carries them so the team can do the work only it can do.
The same logic sits underneath cloud dependency risk: security outcomes should depend on your control, not on someone else's decisions. Open source removes the foreign vendor from that equation. It does not remove the operational weight — it transfers all of it to you.
Here's what the EU actually recommends
CADA itself does not mandate open source. It builds a single EU-wide framework for assessing cloud and AI sovereignty, and a mechanism for the public sector to adopt services that meet it. The open-source push lives in the companion document — the EU Open Source Strategy — which promotes European open alternatives to non-EU proprietary tools in critical domains, cyber security among them.
Both sit inside the same package, and they point the same way: reduce dependence on providers outside the EU, and bring control over critical infrastructure back under European law. On that, Guardsix and the Commission want the same outcome.
The strategy is also candid about the catch. It names the structural problems the European open-source ecosystem still has to solve: limited long-term funding, difficulty maintaining and scaling projects, and the gap between a working project and something an organisation can depend on in production. The Commission admits this plainly in the same document that makes the recommendation.
That candour matters, because it points straight at the part a lean team has to think hardest about.
Where Guardsix fits
Guardsix SIEM gives a lean regulated team sovereign control without the stack to maintain. Three things make that real.
-
European jurisdiction. Guardsix is EU-headquartered and governed by European law alone, so your logs, audit trails, and access records sit under one jurisdiction — the one you can answer for.
-
Predictable pricing. Node-based pricing scales with the infrastructure you run, not the data you generate. No ingestion surprises, no need to expand headcount, and a total cost of ownership often significantly lower than the open source alternative.
-
An active on-prem roadmap. Staying off the cloud is a direction we keep investing in, not a legacy option we are quietly winding down.
Together they produce what a regulated team is actually buying: sovereign log management that keeps every log on European soil, audit-ready evidence that maps straight to your compliance controls, and the consistency to answer the only question that matters when an incident hits — can you show what happened, and that the data never left your control?
The EU is right that sovereignty is the destination. For a lean team with strict obligations, the route that gets you there and keeps you there is the one that does not ask you to become a platform engineering shop first.
What this means for your organisation
If you are looking at open source as your route to sovereignty, the licence is the simplest part of the decision. The cost that follows is carried in headcount, year after year, and it lands hardest on the lean teams the obligation affects most.
Our playbook for Sovereign Security under CADA lays out what the proposal means in practice, where open source genuinely fits, and how a regulated organisation can meet the obligation without becoming a platform engineering shop to do it.
