Published: 11. Mar 2026 Last updated: 25. Mar 2026

Public Code and SBOM

The "Public Money, Public Code" principle states that software financed with tax money should be made available to the public as Open Source. This promotes reuse, reduces redundant development, and strengthens the digital sovereignty of the state.

Complementing this, the Software Bill of Materials (SBOM) is the necessary security standard to gain transparency about the components used and their security status.

Anti-Patterns: The Blackbox Administration

Many authorities use proprietary software whose functionality cannot be verified. This leads to dependencies on individual service providers, makes interoperability between different agencies more difficult, and harbours unrecognised security risks in the software supply chain. Without SBOM, in the event of a newly discovered vulnerability (such as Log4j), it is nearly impossible to quickly determine which systems are affected.

Transparency by Default

Open Source by Default: New software projects in the public sector are developed under a free licence (e.g. AGPL or Apache 2.0).
Mandatory SBOMs: Every software vendor must provide a machine-readable list of all included libraries and licences (e.g. in CycloneDX or SPDX format).
Central Repositories: Building federated code platforms (such as opencode.de) to facilitate exchange between cantons and municipalities.
Security Audits: Public code enables independent security reviews by the community and subject-matter experts.
EMBAG Compliance: Implementation of the legal requirements for the use of electronic means (EMBAG) through consistent openness.

The Advantage: Federal Efficiency

One canton develops a solution for building permit management — other cantons can adopt, adapt, and improve this code instead of reinventing the wheel each time.

FAQ

Are we not giving away valuable intellectual property by opening the code?

No, we are investing in shared infrastructure. The value lies in the functioning process and the data, not in the lines of code themselves. By sharing, maintenance costs decrease for everyone.

Does publishing the code not increase the risk of cyberattacks?

No. True security is based on robust architecture, not on secrecy. Security through obscurity does not protect against professional attackers — transparency, on the other hand, enables faster patches.

Reference Guide

FSFE — Public Money Public Code: The European initiative for Open Source in public administration. publiccode.eu
Open Source Study Switzerland: Current data on the use of OSS in Swiss authorities. oss-studie.ch
CISA — SBOM Guide: The US cybersecurity agency's guide to the Software Bill of Materials. cisa.gov

Open Items

Add a guide for implementing SBOM checks in procurement processes.
Link an overview of Swiss Open Source projects in the GovTech space.