ADJUSTER
TR / EN
13.07.2026 Blog Post

Transition to Open Source Software (OSS) for Public Institutions

Transition to Open Source Software (OSS) for Public Institutions
First, we need to understand what Open Source Software (OSS) is. There is a software license agreement that includes the rights and permissions regarding how the developed software can be used. Software developers or companies that develop software provide this agreement to the user along with the software. Those who purchase the software are considered to have accepted this agreement. We know that this software is an intellectual/industrial right for the individuals or businesses that develop it. Indeed, the Law No. 5846 on Intellectual and Artistic Works emphasizes license agreements, and those who do not comply with these agreements are considered cybercriminals. Some manufacturers are quite sensitive about these issues. Especially regarding the inappropriate use of licensed products such as drawing programs used in industry, they can request evidence gathering from the courts according to Article 400 of the Code of Civil Procedure No. 6100, and the courts usually accept this request. In this case, raids can be carried out on the identified workplaces with the accompaniment of lawyers and experts. Public institutions are also, of course, obliged to comply with these licenses. In fact, the Prime Ministry circular dated July 16, 2008, numbered 26938, emphasized that the use of software contrary to licenses is prohibited even in the public sector. Open source licenses are among the types of software licenses. Open source software licenses allow users to use, modify, and distribute the source code based on agreed terms and conditions. However, a software being open source does not mean that it can be used, copied, modified, and distributed as desired. Depending on the type of license, some may allow you to develop the source code and generate commercial profit, while others may only allow you to modify the source code to meet your needs or fix problems. This must be explicitly stated in the open source license agreement.

A significant period began in the public sector with the Presidential Circular on the Use of Public Financial Management and Control in the Public Sector, published on July 29, 2023, with number 32263. This circular applies to public administrations within the scope of Schedules (I), (II), (III) and (IV) annexed to the Public Financial Management and Control Law No. 5018 dated December 10, 2003, excluding the Ministry of National Defence, the National Intelligence Organization, the Defence Industry Presidency, the General Secretariat of the National Security Council, the General Directorate of Security, the Gendarmerie General Command and the Coast Guard Command; as well as public institutions and organizations affiliated with, related to and associated with these administrations, provincial special administrations, municipalities and their affiliated organizations, and the unions, institutions and enterprises they establish. Public economic enterprises subject to the Decree Law No. 233 dated 8/6/1984 on Public Economic Enterprises, and all types of organizations, institutions, unions, businesses, and companies in which they directly or indirectly, individually or jointly, own more than half of the capital; private law organizations, funds, revolving funds, and all other public institutions and organizations whose shares are more than half owned by the public and which have been included in the scope and program of privatization are obliged to comply with the circular. According to the circular;

Each organization will create an inventory of its commercially licensed software and submit a "Resource Utilization Transition Analysis and Roadmap Report" to the Digital Transformation Office within 9 months, outlining which of these can be replaced with Resource Utilization-equipped alternatives. In fact, organizations should have already created these inventories beforehand according to the DDO Information and Communication Security Guide. Updating them using the templates available on the DDO website will suffice.
The necessary financial resources for the work to be carried out within the framework of the Roadmap Report will primarily be provided by the Strategy and Budget Presidency. This is very important. As you may recall, the implementation of the DDO Information and Communication Security Guide was also made mandatory by the Circular (July 6, 2019), but no clause was included regarding the funds required for compliance with the guide.
Organizations may choose to use commercially licensed software. Even if they do not have a Funding Rights Fund (FRF) in place, if they still request funding, the project proposal forms submitted to the Strategy and Budget Presidency must detail the technical and economic reasons why FRF equivalents were not preferred for the commercially licensed software they intend to acquire.
Existing software developed through the customization of existing AKKY (Resource Utilization and Quality Management) licenses by software companies operating in Türkiye and personnel employed in Türkiye will also be considered in the AKKY transition process. These software programs will be evaluated even if they do not currently use AKKY licenses. If suitable AKKY products are not available, these commercially licensed software programs will be preferred over commercially licensed software, taking into account their technical and financial suitability for meeting the needs of the relevant public institution or organization.
Below are the licenses that can be accepted under the Open Source Software Transition (ASS) within the scope of the Circular. The list has been prepared according to the Open Source Software Transition Analysis Guide prepared by the Digital Transformation Office (DDO) and TÜBİTAK-ULAKBİM.

BSD Zero Clause License
Academic Free License
GNU Affero General Public License
Apache License
Artistic License
BSD 2-Clause “Simplified” License
BSD 3-Clause Clear License
BSD 3-Clause “New” or “Revised” License
BSD 4-Clause “Original” or “Old” License
Boost Software License
Creative Commons Attribution International
Creative Commons Attribution Share Alike International
Creative Commons Zero Universal
CeCILL Free Software License Agreement
Educational Community License
Eclipse Public License
European Union Public License
GNU Free Documentation License
GNU General Public License
ISC License
GNU Lesser General Public License
LaTeX Project Public License
MIT No Attribution
MIT License
Mozilla Public License
Microsoft Public License
Microsoft Reciprocal License
Mulan Permissive Software License
University of Illinois/NCSA Open Source License
Open Data Commons Open Database License
SIL Open Font License
Open Software License
PostgreSQL License
The Unlicense
Universal Permissive License
Vim License
zlib License
In the remainder of this article, I have tried to outline my views on the Circular.

Above all, I find the circular very valuable. I thank everyone involved, especially our President, for this vision and the will shown.

First, I would like to remind you of the IT expenditures made in our country. According to the "2023 Public Information and Communication Technologies Investments Report" published by the Strategy and Budget Presidency on May 10, 2023, although a total of 21.203 billion TL (785 million dollars) was allocated for public ICT investments, when we exclude the top 10 institutions with the largest budget allocations (BTK communication infrastructure projects, MEB FATIH project, etc.), 5.930 billion TL (15.273) has been allocated to all other institutions. At today's exchange rate, this is 219.6 million dollars. The budget allocated to public ICT projects is only 4.7% of the total investment budget.


Figure 1. Public ICT Investments, 2002-2023

Figure 2. Ratio of Public ICT Investments to Other Public Investments, 2002-2023
The reason I draw attention to these expenditure ratios is that the Circular begins with the sentence, "Saving on IT expenditures by widespread use of open-source software (OSS) in the public sector." I believe the "saving on IT expenditures" mentioned at the beginning of the Circular refers to saving on licensing costs going abroad. The aim is to invest more in domestic software, open source, human resources, and new IT projects by saving on these costs. Otherwise, whether we look at the share of ICT in total investments or the allocations in dollar terms, we can say that the savings are already high.

The number of permanent engineers, programmers, and contract employees in the IT field in public institutions is quite insufficient. Especially since open source, by its nature, requires updating and adapting things, it needs more IT human resources. In this respect, it is necessary to increase the IT human resources in the public sector simultaneously. We also face the problem of IT labor migration, which hinders this. Since the market is also experiencing a shortage of trained personnel in this area, it has become difficult to retain the small number of IT personnel in institutions.

Another aim of the circular is to strengthen cybersecurity. This observation is entirely accurate. In some licensed products, source code is inaccessible. This leads to a vulnerability known as a backdoor. Countries or companies can use these backdoors for their own benefit to access sensitive personal or corporate data, using it for marketing or other purposes. Our country has begun to act cautiously in this regard, and this issue has been highlighted in the DDO Information and Communication Security Guide. The guide requests that purchased software be checked for backdoor vulnerabilities. However, in practice, this has not been implemented because access to the source code of many packaged software packages is not possible. Another point that should not be overlooked is that open-source software, like any software, may have cybersecurity vulnerabilities. In other words, being open-source does not mean that software is free of cybersecurity vulnerabilities. Especially in recent cyberattacks, it has been observed that open-source libraries within software are targeted. For this reason, methods and tools called Software Composition Analysis (SCA) have emerged, which are used to analyze the structure and security of software components. In this approach, the current versions or vulnerabilities of open-source components used in the software are examined. Even where the developers downloaded these open-source components is very important.

There are communities that offer open-source software snippets. Attackers can mimic these communities, inserting malicious code snippets and then installing them on your own system. On the other hand, they constantly search for vulnerabilities in source code, and since this code is open, they naturally find them. Therefore, when using open-source software, cybersecurity should be more agile. In conclusion, securing the cybersecurity of products used under open-source licenses is just as difficult and labor-intensive as securing licensed products. Public institutions must also increase their investments in cybersecurity and the number of trained IT personnel in this area.

The circular states that "Software developed by software companies operating in Turkey and personnel employed in Turkey through the customization of existing open-source software will also be considered in the open-source transition process, even if they do not use open-source licenses in terms of software licensing procedures." This is extremely important. Today, it is almost impossible to avoid using open-source code snippets in any part of the software code. Naturally, these infrastructures are also used in the domestic software development process. It is very valuable that the money allocated for licensing remains within the country and contributes to national employment and R&D without leaving the country. Considering the cheap labor and living costs in our country, multinational companies can be encouraged to establish their R&D units here. Just as some foreign-owned vehicle manufacturers produce in Türkiye with local partners and sell vehicles to the public sector by reaching the localization rate (51%) specified in the regulations, software can also be sold to the public sector in a similar way. Of course, this requires different support packages and approaches. Leaving that aside, it is possible to understand from this clause that efforts have been made to ensure that the domestic software ecosystem is not negatively affected.
← Back to Blog