Open-Source Is No Longer a Cost Play, It's a Control Play
96% of organizations use open source. But the reason has changed. It's no longer about cost. It's about control, sovereignty, and vendor independence.
Insights, updates, and stories from our team
96% of organizations use open source. But the reason has changed. It's no longer about cost. It's about control, sovereignty, and vendor independence.
How nestedvirt uses KVM nested_run counters to help OpenStack and KVM operators decide whether disabling nested virtualization is operationally safe.
Our technical assessment of CVE-2026-53359, the Linux KVM/x86 vulnerability known as Januscape, and its impact on OpenStack compute operations.
96% of organizations use open source. But the reason has changed. It's no longer about cost. It's about control, sovereignty, and vendor independence.
Open-source adoption isn't new. What's changed is why organizations are choosing it.
For years, the conversation was mostly about cost. Open-source offered an alternative to expensive licensing models and proprietary platforms, making it an easy business case. Today, that decision has already been made. According to the 2025 State of Open-Source Report, 96% of organizations increased or maintained their use of open-source over the past year, a sign that it's now a standard part of the enterprise technology stack.
What's changed is the motivation.
In 2026, the same report found that concern over vendor lock-in has become one of the fastest-growing drivers of adoption. Fifty-five percent of organizations now cite avoiding vendor lock-in as a key reason for choosing open-source, a 68% increase year over year. In Europe, that figure rises to 63%, reflecting growing demand for technology that organizations can operate and govern on their own terms.
This shift isn't an ideological one. It's a response to the way enterprise infrastructure is changing. AI workloads are increasing the cost of long-term platform decisions. Regulations such as the EU AI Act, DORA, and NIS2 are placing greater emphasis on transparency, portability, and governance. At the same time, geopolitical uncertainty is pushing organizations to reduce dependence on technologies they don't fully control.
Open-source can help address those challenges, but only if organizations control the infrastructure it's running on. Using open-source software and owning the platform that powers it are not the same thing.
In this post we explore what's behind the shift, what control actually looks like in practice, and how platforms built on OpenStack and Kubernetes, like Atmosphere by VEXXHOST, deliver open-source infrastructure that organizations genuinely own and govern.
Open-source centered the enterprise because it made financial sense. Why pay expensive licensing fees when you could build on software that was freely available? Lower costs, no vendor premiums, and the flexibility to choose your own support model made it an easy business decision.
Today, the conversation has moved beyond the cost. Organizations aren't choosing them simply because they're cheaper. They're choosing them because they want more control over the infrastructure they depend on.
The reasons are straightforward.
Auditability. When regulators ask how your infrastructure works, you need more than documentation. Open-source lets you inspect the code, understand what's happening, and verify how systems behave instead of relying solely on a vendor's assurances.
Portability. Infrastructure built on open standards makes it easier to move workloads between environments without rebuilding applications or becoming dependent on proprietary APIs and licensing models.
Independence. When Broadcom changed VMware's licensing model, many organizations discovered how difficult it was to leave a proprietary ecosystem. Those already running open-source infrastructure had far more flexibility because they weren't tied to a single vendor.
Sovereignty. Governments are reaching the same conclusion. The European Commission's Open Source Strategy, published in June 2026, places open-source software at the heart of its approach to technological sovereignty, recognizing that control over critical infrastructure is becoming a strategic issue rather than simply an IT decision.
Cost may have been the reason organizations started adopting open-source software. Increasingly, control is the reason they're continuing to invest in it.
The shift from cost to control wasn't driven by a single event. It came from the convergence of AI, regulation, and geopolitics, all of which changed what organizations expect from their infrastructure.
AI raised the stakes. Infrastructure is no longer just hosting applications. It's storing training data, running inference, and supporting workloads that are becoming core business assets. That has turned questions like where data resides, who controls the hardware, and whether the platform can be audited into strategic decisions. Organizations increasingly need infrastructure they can inspect, modify, and operate on their own terms.
Regulation reinforced that need. The EU AI Act requires documented data governance and automatic logging. DORA requires operational resilience and tested exit strategies. NIS2 raises security and reporting requirements, while the Data Act strengthens data portability. Together, these regulations assume organizations can demonstrate how their infrastructure works, not simply trust a vendor's documentation.
Geopolitics has added another layer. The US CLOUD Act allows US authorities to compel access to data held by American companies, regardless of where that data is stored. For many organizations, where infrastructure is governed has become just as important as where it's hosted.
These trends reinforce one another. AI increases the value of the infrastructure you're protecting. Regulation increases the accountability for how it's managed. Geopolitics increases the importance of who ultimately controls it.
For a closer look at how localized infrastructure supports data sovereignty, read Data Sovereignty and Localized Private Infrastructure. For context on how the EU AI Act maps to infrastructure decisions, read Sovereign by Architecture: Building AI Infrastructure for the EU AI Act.
One of the biggest misconceptions about open-source is that access to the code automatically gives you control. Those are two very different things.
You can run open-source software and still be dependent on a vendor. If a provider maintains its own fork, adds proprietary components, and manages the platform on your behalf, you're using open source, but you're operating within their ecosystem. Your visibility is limited to what they expose; your upgrade schedule follows their roadmap, and migrating away becomes far more difficult than it first appears.
Kubernetes is a good example. Many managed distributions include custom resource definitions, proprietary operators, and platform-specific integrations. The foundation is open source, but over time those additions become part of your architecture, making it harder to move to another environment without significant rework.
The same is true for OpenStack. A deployment built around proprietary networking, storage, or heavily modified distributions can create many of the same dependencies as a proprietary cloud. Simply using OpenStack doesn't guarantee portability.
Real control comes from three things.
Staying close to upstream. Running software that remains aligned with the upstream project rather than a heavily modified fork makes it easier to adopt new releases, stay compatible with the wider ecosystem, and avoid unnecessary migration challenges.
Operational flexibility. You don't have to manage everything yourself, but you should always be able to. Whether you operate the platform internally or work with a managed provider, the architecture shouldn't depend on proprietary tooling that limits your options.
Owning the roadmap. You decide when to upgrade, how to secure the platform, and which new capabilities to adopt. Community projects provide the innovation, but those decisions remain yours.
Using open-source software is now commonplace. Owning the infrastructure it runs on is what gives organizations the flexibility, portability, and independence they're increasingly looking for.
For more on how proprietary extensions quietly create dependency even on open-source platforms, read What Your Cloud Provider Doesn't Want You to Think About.
Control is the result of the architectural decisions you make.
OpenStack gives you infrastructure you can inspect, audit, and operate yourself. Compute, networking, storage, identity, and GPU resources are all managed through open APIs rather than proprietary control planes. When you need to understand how the infrastructure works, the answer is in the platform itself, not behind a vendor's documentation.
Kubernetes extends that same approach to workloads. Applications, AI training jobs, inference services, and data pipelines defined through standard Kubernetes APIs can move between conformant clusters without being tied to a single provider. Portability isn't an add-on. It's built into the orchestration layer.
Ceph does the same for storage. Data remains in open formats under your control, without proprietary storage systems or migration barriers. Whether it's deployed alongside compute or replicated across regions, the architecture stays consistent.
Together, OpenStack, Kubernetes, and Ceph create an infrastructure stack that's transparent, portable, and designed around open standards. Instead of relying on proprietary layers, every component can be inspected, replaced, or operated independently.
Atmosphere by VEXXHOST brings those technologies together in a production-ready managed platform. It combines upstream OpenStack with CNCF-certified Kubernetes, without proprietary forks or vendor-specific extensions. The team also contributes directly to upstream projects, including Nova and Magnum, helping improve the same software customers run in production.
For organizations that don't want to build an operations team from scratch, Atmosphere provides a fully managed service while keeping the underlying architecture open. VEXXHOST handles operations, upgrades, and monitoring, but customers retain standard APIs, portability, and the freedom to move their workloads when they choose.
For a full overview of the managed model, read The Complete Guide to Managed OpenStack with Atmosphere.
Open-source has already proven its value. For most organizations, the question is no longer whether to adopt it, but how much control they'll have over the infrastructure it runs on.
That control comes from staying close to upstream, avoiding unnecessary vendor dependencies, and retaining the freedom to inspect, operate, and move your infrastructure when your requirements change. Lower costs may be part of the equation, but they're no longer the primary reason organizations are investing in open-source infrastructure.
If the goal is long-term flexibility, resilience, and digital sovereignty, owning the infrastructure matters just as much as the software running on it.
Explore Atmosphere by VEXXHOST and see what open-source infrastructure looks like when it's built around openness, portability, and control.
Choose from Atmosphere Cloud, Hosted, or On-Premise.
Simplify your cloud operations with our intuitive dashboard.
Run it yourself, tap our expert support, or opt for full remote operations.
Leverage Terraform, Ansible or APIs directly powered by OpenStack & Kubernetes