Your expert for questions
Marcel Scholze
Director Open Source Software Services & IT Sourcing at PwC Germany
Tel: +49 151 16157049
Email
A clear trend towards more intensive use of Open Source Software (OSS) can be seen among German companies and public institutions. This development reflects the global trend of companies and public authorities worldwide recognising the benefits of OSS, including cost savings, expanded innovation opportunities and increased flexibility. While just over two-thirds of organisations reported using Open Source Software in 2019, more than three-quarters of organizations surveyed did so in 2021 and also in 2023. Of the large companies with more than 2,000 employees, as many as 85 per cent said they will actively use Open Source Software in 2023. Open Source Software has also established itself in public administration: 59 per cent of the authorities surveyed use Open Source Software.
These are the results of the third Open Source Software (OSS) study for Germany published by the digital association Bitkom e. V.. PwC Germany sponsored and co-designed the study and now reports here on the exciting results.
Open Source Software – OSS for short – is now state of the art in the German economy: two-thirds of large companies with more than 2,000 employees have formally or informally designated a responsibility for Open Source. In public administration, 30 per cent of respondents could (in-)formally name a responsibility for OSS.
Participation in the (further) development of Open Source remains at a high level. Every second company with more than 100 employees stated that they participate in the development of Open Source Software. A particularly high increase can be seen in public administration: While 46 per cent of respondents said they were involved in development of OSS in 2021, 60 per cent were already active in further development in 2023.
A professional Open Source Management System is essential today to meet the growing demands for secure and resilient technology use in German companies and public authorities. While many organisations have already implemented adequate governance structures for compliance, there is still significant room for improvement in the area of security.
The professionalism of the use of Open Source is continuously increasing, e.g. in terms of transparency, compliance and security. This development is significantly influenced by the publication of standards such as ISO 5230 or ISO 18974 – the new standard for Open Source security – as well as by industry-specific or national requirements such as DORA (Digital Operational Resilience Act) or the Cyber Resilience Act (CRA), which is currently being developed. More than half (56 per cent) of the large companies see themselves strongly affected by the impact of the upcoming Cyber Resilience Act in the future. In the public sector, the figure is as high as 67 per cent. An effective Open Source Management System is therefore not only a recommendation, but a necessity to minimise security risks in today's digital landscape and to establish conformity with the growing regulatory requirements.
Security gaps – for example due to outdated components, missing identification and response mechanisms, unclear provenance or non-transparent dependencies – can lead to exclusion in procurement processes, loss of reputation or massive legal and financial consequences in the B2B environment.
Particularly serious in this context is the fact that only about one third of the companies surveyed use analysis tools to check their Open Source Software for vulnerabilities. 40 per cent of the respondents only carry out manual checks. Another third of respondents rely on information from the respective commercial providers of the OSS components they use for OSS security. Particularly in view of the increasing regulatory requirements for the resilience of IT and the desired promotion of digital sovereignty, especially in the public sector, there is an urgent need for optimisation here. Looking at public administration, only 28 per cent currently have their own tool for analysing vulnerabilities in the Open Source Software they use.
“The current figures clearly show that there is a considerable need for action on the topic of security and Open Source Software. Nevertheless, it should always be pointed out and made clear that Open Source is not to be regarded as less secure than closed source software.”
In this context, the soon to be published ISO 18974 on Open Source Security offers valuable assistance and standardises the necessary framework for the implementation of an Open Source Security Management System. It will therefore be interesting to see how the study results on Open Source security develop over the next few years once ISO 18974 is established on the market.
The creation of high-quality SBOMs (Software Bill of Materials) is now a technological standard and an essential tool for ensuring transparency and security within the software supply chain. The current study results underline the growing importance of SBOMs in the German market. According to the study, 45 per cent of the large companies surveyed (with more than 2,000 employees) state that they already provide SBOMs for their products. However, the study cannot provide any information on the quality and completeness as well as the degree of standardisation of SBOMs.
The 2021 study report notes an improvement compared to 2019, but still a significant need to catch up in terms of strategies, processes and compliance when dealing with Open Source. And indeed, a lot has happened since then: while in 2019 only just over 20 per cent of the companies surveyed with more than 100 employees had an Open Source strategy, by 2021 this figure had risen to 32 per cent. However, with 35 per cent in 2023, this positive trend is continuing rather slowly. However, if we look at larger companies with more than 2,000 employees, about one in two now has its own OSS strategy.
The proportion of companies that have a compliance policy for Open Source has risen steadily since 2019. In 2019, only about 17 per cent had such a policy. While in 2021 it was already 27 per cent, in 2023 32 per cent of the respondents had an Open Source policy in place.
“The current figures underline the trend of the last few years that OSS compliance is developing well – but we are still far from the home stretch. ISO 5230 provides valuable guidance on how to move forward in a structured way.”
The Linux Foundation's OpenChain standard has been available since December 2020 as ISO Standard 5230 and is of central importance for managing compliance when dealing with Open Source solutions. It enables companies to reduce the risks of compliance with OSS licences in the supply chain. More than half of the companies that use Open Source are aware of the standard.
At the same time, many of the respondents state that there is still a need for more in-depth knowledge on this topic. It is mainly larger companies with more than 2,000 employees that are currently working on the implementation of ISO 5230 or have already completed it.
This is not surprising, finds PwC expert Marcel Scholze. After all, the standardisation and certification of specific compliance programmes often starts at the most critical point in the supply chain where risks materialise – the OEM, says the expert. However, since compliance in the supply chain requires a joint effort, it is important that penetration also takes place throughout the supply chain.
PwC's Open Source Software Management team provides comprehensive support to companies and public authorities on the subject of Open Source Software: from strategy and the enablement of Open Source Software, the establishment of OSPOs and compliance or security processes, including tooling as well as the certification of OSS management in accordance with ISO 5230 and ISO 18974, all the way through to managed services such as code scanning, SBOM creation, supplier compliance audits and training of employees.
“Industry and the public sector have made progress in adapting Open Source management practises. However, there is still an urgent need for action in implementing compliance and security measures.”
Marcel Scholze,Head of Open Source Software Management Services at PwC GermanyBitkom Open-Source-Monitor 2023
Contact our experts
The Open Source Monitor 2023 is the third Open Source Software Study for Germany. For the new edition of this representative study, the digital association Bitkom e. V. surveyed more than 1,150 companies with at least 20 employees as well as 100 publicly administered organisations. In addition to analysing current developments, the study also offers insights into trends and changes compared to the last representative survey from 2021.
For the study, companies and public authorities were asked a series of questions about their openness to OSS and its use, the advantages and disadvantages, and their involvement in the further development of OSS. In addition, the study participants were asked about compliance topics and the international standard on Open Source License Compliance (ISO 5230).
Director Open Source Software Services & IT Sourcing, PwC Germany
Tel: +49 151 16157049