The Open Source Business Alliance (OSBA), a trade association representing Germany's open source industry, has published a comprehensive position paper addressing the sustainable procurement of open source software in public administration. Released on 11 February 2025, the document titled "Selection Criteria for the Sustainable Procurement of Open Source Software" offers guidance to public authorities seeking to identify high-quality open source providers whilst reinforcing the broader open source ecosystem.

Addressing Procurement Challenges

The position paper presents a key challenge in procurement processes. As the document states:

"The business models behind open source solutions function fundamentally differently than those for proprietary software: With proprietary software, the manufacturer participates in every licence sold, even if the licence was granted by a third-party provider. With open source software, additional services are usually offered commercially instead of the software licence."

This distinction creates circumstances where "third-party providers [have] the opportunity to outdo the actual software manufacturer in a bidding process by making unrealistically low offers," resulting in a situation where "no money goes to the open source manufacturer, who is therefore unable to invest sufficiently in the further development and maintenance of the open source solution."

Four Key Selection Criteria

The paper outlines four key criteria for sustainable procurement of open source software:

1. Relationship with software manufacturer/community: Providers should demonstrate close ties with the software manufacturer or community through partnerships, contributions, or employing core developers. This ensures direct access to technical support, early awareness of security vulnerabilities, and influence on future development. The closer this relationship, the more the contracting authority benefits from tailored functionality, rapid issue resolution, and long-term software availability.
    
2. Upstream publication of modifications: Contractors should ensure that any modifications or customisations are published back to the original project, avoiding unsustainable forks. This prevents maintenance challenges where separate derivatives become costly to update with security fixes. Providers with close community ties increase the likelihood of patch acceptance, ensuring software quality and enabling reuse across the public sector.
    
3. High-quality level 3 support: Providers must demonstrate their ability to  deliver expert-level support through either qualified staff with source code knowledge or contractual arrangements with the software manufacturer. This ensures contractually agreed response times can be met and complex technical issues resolved, maintaining operational continuity and minimising downtime for the contracting authority.
    
4. Securing the supply chain: Providers should actively support core components used in their solutions, contributing to their development and security compliance. This supports implementation of requirements like the Cyber Resilience Act and demonstrates a transparent approach. Such involvement is essential for ensuring the long-term availability of updates and maintenance for all components, thus guaranteeing supply chain security.

Practical Implementation Guidelines

The document includes detailed appendices with practical implementation guidance, offering procurement officials sample formulations for both mandatory (A-criteria) and evaluative (B-criteria) procurement requirements. These templates provide scoring scales and evaluation frameworks that can be adapted to specific tendering situations.

If you would like further information, please refer to the paper, which is available here.