Perforce Software, in collaboration with the Open Source Initiative (OSI) and the Eclipse Foundation, has released the 2026 State of Open Source Report. The comprehensive report examines the global trends, priorities, and concerns impacting open source software (OSS) adoption. Based on survey responses from OSS users across organizations of all sizes and over a dozen industries worldwide, the findings reveal critical areas of maturity, opportunities for growth, and shifting attitudes around security, compliance, and sovereignty.
Key Report Findings
Europe is moving towards OSS at a faster pace than US counterparts due to vendor lock-in concern (63% in EU and UK vs 51% in US)
60% of those working for large enterprises (5,000+ employees) spend 50% or more of their time on maintenance and bug fixes.
Keeping up with security updates and patches remains the greatest challenge across all organization sizes.
The majority of organizations that failed a compliance audit last year have end-of-life (EOL) software in their stacks, and the audit failure rate was twice as high for those running legacy versions of Tomcat, Spring Boot, and Spring Framework.
Avoiding vendor lock-in has emerged as a leading driver of open source software adoption, cited by 55% of respondents — representing a 68% year-over-year increase. The trend is particularly pronounced in the EU and the UK, where 63% of organizations identified vendor lock-in as a top reason for choosing OSS, compared to 51% in North America.
“Digital autonomy has become a strategic priority for European organizations, and it’s part of a broader push toward data sovereignty in light of increasingly strict EU regulatory requirements,” said Matthew Weier O'Phinney, Principal Product Manager for Perforce OpenLogic and the report’s lead author. “Open source provides a clear path to that independence, but it must be paired with infrastructure choices that preserve flexibility. Vendors that focus on portability — allowing customers to deploy where they choose — and deliver value instead of lock-in will be essential partners in achieving digital sovereignty.”
Whilethe reportshows that open source adoption is robust — less than 2% of organizations decreased their OSS in the past year — it also uncovers operational, security, and compliance challenges preventing some organizations from realizing its full potential.
Open Source Maintenance Overshadows Development
The report reveals that 60% of those working for large enterprises (5,000+ employees) spend 50% or more of their time on maintenance and bug fixes. For Enterprise Java teams, the imbalance is even more severe: close to one-third (31%) spend between 75 to 90% of their time maintaining and fixing, leaving only 10 to 25% for new functionalities.
“The six-month release cycle for JDK, which has also been adopted for Spring Framework, means that Java developers must upgrade more frequently,” Weier O’Phinney explained. “Additionally, Java 17 introduced a breaking namespace change that affects nearly all Java applications, which automation cannot fully correct. This shifts development focus from features to maintenance, costing companies valuable time.”
Security and Vulnerability Remediation Hurdles Remain
Keeping up with security updates and patches remains the greatest challenge across all organization sizes. 20% of organizations admit to having no specific process for addressing Common Vulnerabilities and Exposures (CVEs), while 39% of large enterprises report that meeting internal SLAs for vulnerability remediation is difficult.
Compliance Risks Linked to Legacy OSS and Lack of Planning
The majority of organizations that failed a compliance audit last year have end-of-life (EOL) software in their stacks, including CentOS and AngularJS. Alarmingly, the audit failure rate was twice as high for those running legacy versions of Tomcat, Spring Boot, and Spring Framework. Furthermore, only 16% of respondents indicated that they have a plan to address forthcoming compliance changes, like the EU Cyber Resilience Act, which is partially in effect now and will be fully enforced by the end of 2027.
“The 2026 State of Open Source Report shows that organizations view open source as a path to digital sovereignty — but achieving that autonomy requires treating compliance, security, and governance as foundational elements of their strategy,” said Deb Bryant, Interim Executive Director, Open Source Initiative. “We’re seeking ways to reduce the compliance burden, particularly in Europe, so that more companies can confidently deploy OSS and ensure the benefits clearly outweigh the risks.”
