Matrix.org - EU

Matrix for Public Sector: DINUM joins the Foundation as we launch a new forum!

2025-10-21T12:30:00+00:00

🔗</a>DINUM becoming the first government to join the Matrix.org Foundation</h2>
Today DINUM, the French Interministerial Digital Directorate, has officially announced that they were joining the Matrix.org Foundation</a> as a Silver member</a> and becomes the first government to join the Matrix.org Foundation!
This is particularly exciting news as it will hopefully set an example for other public sector organisations using Matrix to communicate, and there are many of them. 
In France, Matrix is the basis for Tchap</a>, the secure messaging system of choice for public officials. It was selected for its security, but also openness, transparency and sovereignty as it limits dependence on proprietary solutions from outside Europe.
With this support, DINUM is committed to:

participating in the governance of the protocol and enhancing its quality, in conjunction with other user states (Sweden, Luxembourg, the Netherlands, Germany...) and the open source business ecosystem;</li>
contributing to the development of the community versions of the various software components of the ecosystem, used by many public services;</li>
ensuring that its actions are part of a framework for sustainable investment in digital commons.</li> </ul>
DINUM has been an active contributor to projects of the Matrix ecosystem for a while, including by providing improvements to the implementation of Sliding Sync, which optimises performance and user experience; as well as the development of a community version of a border gateway, which enhances the security of the communications between distinct organisations.
Stéphanie Schaer, the Interministerial Director for Digital Affairs says: “With this partnership, we are choosing to make a long-term investment in a strategic digital commons for the benefit of the European ecosystem. Matrix is an essential building block for secure and sovereign communication services. This sponsorship reflects our conviction that the digital sovereignty of the State requires direct investment in the commons.”
🔗</a>Matrix for Public Sector</h2>
This announcement comes a few days after the second edition of The Matrix Conference</a>. The Conference was held in Strasbourg (France), gathering about 300 attendees, amongst which more than a dozen public sector organisations, brought together by their use of Matrix as a sovereign, secure and resilient communication protocol.
The Conference saw two full days of public sector track</a>, shedding light on the various exciting deployments of Matrix by these organisations. All the talks are already available for watching here</a>, and will be soon published on the website, but you can find a list of the public sector related ones at the bottom of this post.
We also took the opportunity of having many representatives of these public organisations present in person at the Conference to officially launch a Matrix for Public Sector forum. This is the very first group of its kind that the Foundation sets up and already many other industries are asking for something similar. The group will be proposed to the Governing Board for approval to potentially become an official Working Group</a>.
The goal of the Matrix for Public Sector forum is for the Foundation to bring together all public sector players who have already deployed Matrix or are looking to do so, and enable them to share knowledge, learnings and experiences, generally grow the usage of Matrix in the public sector, hopefully ultimately federating all these deployments into a proper Matrix network.

Launching the Matrix for Public Sector forum at the Matrix Conference 2025 </figcaption> </figure>
This seminal meeting gathered a dozen of organisations including representatives from France, the European Commission, Sweden, Germany, Luxembourg, the Netherlands, Belgium, the UK and Romania. The discussion focused on the type of knowledge and learning could be shared as well as how to structure the group.
All this activity, concretising years of growth of Matrix in the public sector is a huge step forward for the ecosystem, and we are very much looking forward to enabling this group of users to grow. It is also great to start implementing new ways for the Foundation to support the ecosystem and we can’t wait to replicate it with other industries!
And again: Welcome DINUM!
Amandine
🔗</a>Public sector talks at the Conference</h3>
Matrix for Public Sector</a>, Amandine Le Pape, The Matrix.org Foundation
Trialing Matrix within the European Commission for resilient and sovereign communications</a>, Nicolas Dubois, European Commission
Matrix French gov deployment: opening a private federation securely</a>, Mathieu Velten, Direction Interministérielle du Numérique (DINUM)
Consolidating Germany’s administrative communication: Towards a joint Matrix-based architecture</a>, Dominik Braun, Federal IT-Cooperation (FITKO)
Sweden’s Public Sector in Transition</a>, Anna Engström and Kenneth Edwall, Försäkringskassan
Luxchat(4gov)</a>, Patrick Weber, the Luxembourg government
Secure communication leveraging the Matrix protocol for UNICC and its partners</a>, Tima Soni, United Nations International Computing Centre (UNICC)
Supporting TF-X with Matrix: best practices and pitfalls</a>, Jeroen Franssen, NATO ACT
The German BundesMessenger</a>, Kai A. Hiller, BWI
No Desk Is an Island: Enabling Cross-Border Workspace Communication</a>, Alexander Smolianitski, ZenDiS
Matrix’s role in the German Healthcare System</a>, Marie Ruddeck, Gematik
Nationwide Rollout of Matrix-Based Instant Messaging (TI-M) for 74 Million Statutorily Insured Citizens</a>, Jan Kohnert, Gematik
Medical Care over Matrix with Delay during a Simulated Moonwalk</a>, Jan-Lukas Furmanek (FAU Erlangen; University Hospital Erlangen) and Aileen Rabsahl (European Space Agency)
An Update on reaching the German Government via Matrix</a>, networkException, Federal IT-Cooperation (FITKO)

The European Union must keep funding free software

2024-07-17T19:00:00+00:00

The Matrix.org Foundation is joining other organisations in calling on the European Commission to sustain its funding for the Next Generation Internet.
We thank the petites singularités</a> association for their leadership in starting this open letter, and are grateful to OW2</a> for the English translation.
Join us by publishing the letter on your own website and add yourself to this table</a>.
🔗</a>Open letter to the European Commission</h3>
Since 2020, Next Generation Internet (NGI</a>) programmes, part of European Commission's Horizon programme, fund free software in Europe using a cascade funding mechanism (see for example NLnet's calls</a>). This year, according to the Horizon Europe working draft detailing funding programmes for 2025, we notice that Next Generation Internet is not mentioned any more as part of Cluster 4. 
NGI programmes have shown their strength and importance to supporting the European software infrastructure, as a generic funding instrument to fund digital commons and ensure their long-term sustainability. We find this transformation incomprehensible, moreover when NGI has proven efficient and economical to support free software as a whole, from the smallest to the most established initiatives. This ecosystem diversity backs the strength of European technological innovation, and maintaining the NGI initiative to provide structural support to software projects at the heart of worldwide innovation is key to enforce the sovereignty of a European infrastructure. Contrary to common perception, technical innovations often originate from European rather than North American programming communities, and are mostly initiated by small-scaled organizations.
Previous Cluster 4 allocated 27 million euros to:

"Human centric Internet aligned with values and principles commonly shared in Europe" ;</li>
"A flourishing internet, based on common building blocks created within NGI, that enables better control of our digital life" ;</li>
"A structured ecosystem of talented contributors driving the creation of new internet commons and the evolution of existing internet commons".</li> </ul>
In the name of these challenges, more than 500 projects received NGI funding in the first 5 years, backed by 18 organisations managing these European funding consortia.
NGI contributes to a vast ecosystem, as most of its budget is allocated to fund third parties by the means of open calls, to structure commons that cover the whole Internet scope - from hardware to application, operating systems, digital identities or data traffic supervision. This third-party funding is not renewed in the current program, leaving many projects short on resources for research and innovation in Europe.
Moreover, NGI allows exchanges and collaborations across all the Euro zone countries as well as "widening countries" [^1], currently both a success and an ongoing progress, likewise the Erasmus programme before us. NGI also contributes to opening and supporting longer relationships than strict project funding does. It encourages implementing projects funded as pilots, backing collaboration, identification and reuse of common elements across projects, interoperability in identification systems and beyond, and setting up development models that mix diverse scales and types of European funding schemes.
While the USA, China or Russia deploy huge public and private resources to develop software and infrastructure that massively capture private consumer data, the EU can't afford this renunciation. Free and open source software, as supported by NGI since 2020, is by design the opposite of potential vectors for foreign interference. It lets us keep our data local and favors a community-wide economy and know-how, while allowing an international collaboration. This is all the more essential in the current geopolitical context: the challenge of technological sovereignty is central, and free software allows addressing it while acting for peace and sovereignty in the digital world as a whole.

Policy and regulation update 2024: Matrix and the GDPR

2024-06-06T07:00:00+00:00

If you have been following the matrix.org blog for some time, you will know that we’ve never been ones to shy away from complex topics like public policy and its impacts on Matrix. With this blog post series, our aim is to introduce a more regular cadence to our regulatory updates and to be more transparent about where we are focusing our efforts in this area.
Each blog post in the series will focus on a given theme or piece of law, as well as its relevant jurisdiction. We will start this series by taking a deep dive into EU regulation, starting with the General Data Protection Regulation (GDPR). Future blog posts in the series will cover the digital services package (DMA and DSA), the incoming CRA and the highly controversial CSAM regulation. These will be followed by a series dedicated to the UK, particularly UK applications of European law such as the GDPR and ePrivacy directive, as well as the Online Safety Act and the IPA amendment bill. Finally, we will conclude the series by looking across the pond and diving into the Cloud Act, as well as KOSA and other existing proposals. 
🔗</a>The big one</h2>
Over the last decade the most impactful - in terms of grassroots led change, not necessarily enforcement - piece of legislation was probably the GDPR. Although its initial enforcement date (May 2018) was a couple of years before I joined Element and the Matrix.org Foundation, I know that preparing for GDPR was a huge effort that led to a lot of deep thinking about the ins and outs of Matrix.
These have been certainly years of learning, iterating and evolving our approach to this fascinating piece of law, and just like 6 years ago</a>, we keep receiving questions and feedback about how the GDPR applies to the Matrix protocol and how server administrators can remain compliant.
We maintain the view that the GDPR was not built for a decentralised digital world, after all we are (for now!) the exception, not the rule. This does not mean, however, that we don’t make every effort possible to comply with the spirit and the letter of the law. Most organisations using the Matrix protocol will be running strictly closed federations or single servers in closed federation, which they fully control (or appoint others to support them with that control). Compliance is a lot more straightforward in this sense, so for now we will focus on those using Matrix to interact with open federation.
The most difficult part of GDPR compliance for Matrix has always been article 17, right to erasure, or ‘right to be forgotten’ as it is usually known. Our view has always been that this is a relative right, which needs to take into account available technology and other applicable laws in order to be enacted. For example, if an employee leaves a company and asks for all of their data to be erased, in practice not all of that data will actually be erased, due to constraints put in place by other legal instruments (i.e. tax and fraud prevention regulations, employment law, etc.).
Considering this relativity, we looked at what other ubiquitous product offerings already exist in the decentralised space, and how they address erasure. Using email as an analogy was a no-brainer in this regard: one understands that deleting an email account will delete everything from their inbox and sent folders, whilst also understanding that is impossible and not expectable to have the same data deleted from the recipients’ inbox (or the inboxes of those that might have had the same message forwarded to them).
Use of technology is always associated with constant give and take and risk based decisions. Whilst we make every effort to minimise risks for the people using the Matrix protocol, the reality is that one of the main purposes of the protocol is integrity of communications and decentralisation of communications data. This is directly at odds with absolute deletion of communications.
So how do we come to terms with this conflict? Following the email analogy, we address right to erasure from two different standpoints: account data and communications data. As part of the protocol, everyone is able to automatically delete their accounts and select an option to delete all of their data. First, this deletes all ‘external’ data associated with the account, such as e-mail addresses, phone numbers, IP addresses and device identifiers - effectively pseudonymising this data, aside from Matrix IDs which we will address later on. This measure follows recital 28 of the GDPR, which mentions pseudonymisation as a risk reducing measure for data subjects, which helps controllers and processors meet their data protection obligations.
Now, the thornier issue of communications data. How can we apply erasure whilst maintaining the integrity of the service for remaining users? Keeping on with the email analogy, if someone deletes their sent email from their own account, you would still expect an existing thread with multiple users to work and be visible. You just would not expect the same message to leave the original account to new individuals.
That is precisely how the issue is addressed in Matrix - upon deletion of an account, and request for deletion of messages, a flag is applied to the original messages which prevents it from ever being displayed to any new people. This, of course, requires cooperation from the other server administrators who might also have copies of the same message in their server instance. We make this decision by referring to recital 66 of the GDPR, which requires controllers take reasonable steps, taking into account available technology, to inform other controllers of the data subject’s request to have their data erased.
One issue still remains unresolved - Matrix IDs (MXIDs) are always associated with state events (data sent by a user to modify the attributes of a given room - eg its name, its members, its avatar), which means those IDs could still leak over federation. That is a particular concern when one uses their legal name as their MXID. The solution for this is to replace the MXID with a pseudonym, maintaining the integrity of communications and fully removing any last remains of identifiable information in the system.
The Synapse team has also made a lot of progress on message retention policies and media retention, both huge strides to continuously improve the privacy of Matrix users, whilst also helping server administrators comply with their legal obligations.
Things have definitely progressed in the portability space, and chat export is now implemented in multiple Matrix clients, having been first implemented on Element Web in October 2021, in version 1.9.2. We look forward to seeing what the next year brings us in terms of privacy improvements.
For the next post in this series we will continue discussing the EU policy landscape, although from a different perspective. We will be going through the digital services package (which includes the DSA and DMA) and what does it all mean for Matrix now that we have reached implementation stage.
As always, we remain open to your feedback and thoughts. If there is anything you would like to hear more about or have a suggestion for a future blog in this series please feel free to reach out to dpo@matrix.org</a> via email, DM to @gpdr:matrix.org</a> or chat to us in the Office of the Matrix.org Foundation room</a>.