Standards, specifications and principles

Checklists

Purpose: Overview of the standards, specifications and frameworks the checklists build on.

Digg’s governing documents

This handbook is a supporting document that concretises, complements and eases practical compliance with:

Digg: Policy on open source software (Reg. no. 2026-02796, decided 2026-04-07, valid until 2029-03-26)
Digg: Guidelines on open source software (Reg. no. 2026-02797, decided 2026-04-07, valid until 2029-03-06)

Principles

The policy sets out six guiding principles for working with open source software:

Openness: insight into technical solutions and processes builds trust. Restrictions shall apply only when required by personal integrity or security, and only to the extent necessary.
Reusability: shared investments yield efficiency. Digg’s solutions shall be designed to be reusable.
Contribution: active participation in open collaboration strengthens both Digg’s own self-determination and the public sector at large.
Security: transparency increases the ability to handle vulnerabilities; in-house operation reduces vulnerability in a crisis; control over the code makes security action possible across the lifetime.
Open standards: interoperability and reduced lock-in; freedom to switch suppliers.
Transformation: shared digital administration requires openness as a foundation and continuous improvement through knowledge-sharing.

Compliance, metadata and SBOM formats

REUSE specification: standard for tagging every file with its licence and copyright.
→ See: Licensing, Release preparation

ISO/IEC 5230 (OpenChain): standard for how an organisation keeps its open source licences in order (OpenChain).
→ See: Licensing, Release preparation

SPDX (ISO/IEC 5962): format for licence information and a software bill of materials (SBOM).
→ See: Licensing, Security

CycloneDX: a list of the components that make up a piece of software (SBOM format), an alternative to SPDX.
→ See: Security

PublicCode.yml specification: a standard file describing a public-sector software project so it is easier to find and reuse.
→ See: Release preparation

Standard for Public Code: framework for quality and sustainability in public code.
→ See: Release preparation, Security, Issues and contributions

Versioning and release practice

Basis for Release preparation and Release 1.0.0.

Conventional Commits: rules for commit messages that let changelogs and version numbers be generated automatically.

Keep a Changelog: user-friendly release history.

Semantic Versioning 2.0.0: consistent version numbering.

Community and contributions

Contributor Covenant: code of conduct for respectful and inclusive collaboration.
→ See: Issues and contributions

Developer Certificate of Origin (DCO): contributors certify the right to contribute.
→ See: Release preparation, Upstream contribution

TODO Group: practices and templates for running an open source program office (OSPO).
→ See: Upstream contribution

Secure development and vulnerability handling

Basis for Security; a few frameworks also point on to other checklists.

OpenSSF OSPS Baseline: minimum security controls across maturity levels. The guidelines explicitly state that recommendations from OpenSSF should be used where relevant.
→ See also: Working on a code-collaboration platform, Release preparation

OpenSSF Concise Guide for Developing More Secure Software: a concise guide to secure software development.
→ See also: Working on a code-collaboration platform

ISO/IEC 27001/2: information classification and information security.

OWASP ASVS: checklist of requirements for verifying application security (Application Security Verification Standard). The guidelines explicitly cite OWASP as a reference framework.

OWASP Cheatsheets and OWASP Software Developer Guide: practical guidance for secure development.

SAFECode Fundamental Practices for Secure Software Development: established principles for secure software development.

Supply chain and release security

Basis for Security.

OpenSSF Scorecard: automated check that scores a project’s security practices and suggests improvements.

Sigstore: tooling to sign software artefacts and prove where they came from (e.g. cosign).

SLSA: framework of security levels that protect the software supply chain from tampering (Supply-chain Levels for Software Artifacts).

ISO/IEC 18974: standard for systematic security work in the supply chain (OpenChain Security Assurance).

CNCF Security TAG — Software Supply Chain Security Paper: best practices for secure software supply chains.

Licences

A selection of common licence choices per the guidelines and Digg’s recommendation on open licences and intellectual property rights; see the licensing checklist for choice and compatibility in practice.

EUPL 1.2: European Union Public Licence; copyleft (requires that further development stays open), legally binding in Swedish, handles SaaS and is compatible with several member states’ legislation. First choice among copyleft licences.

GPL-3.0 and AGPL-3.0: strong copyleft licences; AGPL also covers network distribution (SaaS).

LGPL-3.0: weaker copyleft for libraries; a common licence convention in some ecosystems.

MIT and Apache-2.0: permissive licences when both open and closed further development are to be allowed; Apache-2.0 provides an explicit patent grant.

CC0 1.0: waiver of copyright for documentation, examples and open data (not code).

External resources and community

Education and knowledge

opensource.guide: training in open source
EU Open Source Strategy: referenced in the policy; part of the EU’s tech sovereignty package

Swedish public sector

Sweden’s digitalisation strategy 2025-2030 (in Swedish): national direction for digitalisation
National cybersecurity strategy 2025-2029 (in Swedish): national direction for cybersecurity and resilience
Ena - Sweden’s digital infrastructure: shared digital infrastructure for secure and efficient information exchange
eSam: Sharing and use of open source (in Swedish): guidance for the public sector on sharing and using open source
eSam: Technical conditions in cloud services 2.0 (in Swedish): guidance on technical conditions for cloud services
eSam: Report on collaboration around applied AI (in Swedish): report on public-sector collaboration around applied AI
eSamverkan publications (in Swedish): publications and guidance for public-sector digital collaboration
NOSAD (Network for Open Source And Data) (in Swedish): guidance, templates, strategic documents
NOSAD’s guidance on procurement of open source (in Swedish): for public-sector buyers and procurers
Kammarkollegiet’s guidance for call-offs from Software and Services (in Swedish): general call-off support
Kammarkollegiet’s Requirements catalogue for Software solutions (in Swedish): requires OSI-approved open source licences (section 7.5)
Inköpsrådet’s article series (in Swedish): procurement and open source
offentligkod.se (in Swedish): catalogue of open source software
Sweden’s data portal: portal for data from the public sector

International resources

EU Open Source Solutions Catalogue: catalogue of reusable open source solutions for the EU public sector
Interoperable Europe Portal: the EU’s platform for open source and interoperability
Strengthening Europe’s Tech Sovereignty: the European Commission’s package for digital independence (adopted June 2026); it includes the EU Open Source Strategy among other initiatives
Interoperability Regulation (EU) 2024/903: EU regulation on measures for a high level of interoperability in the public sector; referenced explicitly in Digg’s policy and guidelines
Standard for Public Code Community: community for the Standard for Public Code

Recordkeeping and archiving