The Cyber Resilience Act is Here
With the recent publication of the EU’s Cyber Resilience Act (CRA) in the EU official journal, a 3 year race now begins for compliance by the global technology industry. This legislation sets new cybersecurity requirements that manufacturers and the open source projects they rely upon must meet. The open source community via the Open Regulatory Compliance (ORC) Working Group, is working with numerous open source foundations, SMEs, and industry to establish processes to comply with this new regulatory landscape.
The Race to Compliance
The CRA defines clear targets and timelines, marking the start of a sustained compliance journey. This effort will require time, energy, and resources and the ORC Working Group is here to support the open source ecosystem. Our mission is to guide open source participants and adopters in aligning with CRA requirements through practical frameworks and expertise to support their regulatory journey from start to finish.
How the ORC Working Group Supports Open Source Compliance
The many foundations and other stakeholders which are members of the ORC Working Group are dedicated to guiding the open source community toward successful CRA compliance. Through active community engagement, we’re creating practical resources and adaptable frameworks that empower projects to meet regulatory standards, while preserving open source values. As a community, we have identified the following 4 pillars to guide this effort:
- Bridging the Knowledge Gap: The ORC Working Group prioritises education and training to empower the community with tools to adopt compliant development practices. By creating resources, like cyber resilience guidelines for example, and continuously updating them to align with emerging regulations, we simplify CRA compliance for open source maintainers, projects, communities, and foundations.
- Establishing Compliance Frameworks: We’re defining best practices, processes, and tools that can be translated into specifications addressing regulatory needs. These frameworks prioritise security and compliance for open source projects. Additionally, we will work with standardisation bodies to ensure that open source perspectives help shape global regulatory standards.
- Institutional Engagement: Collaboration with regulatory authorities is central to effective compliance. The ORC Working Group is committed to engaging with these institutions, gathering feedback, and supporting the adoption of community-driven compliance frameworks. This ensures our work aligns with both industry standards and regulatory expectations.
- Strengthening Community Support: Community engagement drives this effort. Through events, workshops, and comprehensive documentation, we keep members informed and prepared for CRA compliance. In the coming months, the ORC will launch additional guidance initiatives to ensure that the open source community is supported every step of the way.
Ultimately, the CRA provides the community and industry an opportunity to deliver more secure products while making open source more sustainable. It will be a new challenge for our community. However, by working together on practices and standards to facilitate compliance we will achieve its laudable goal: making the digital products that are so prevalent in our lives more secure.
Join the Effort
Joining ORC is your opportunity to contribute directly to a compliance strategy that not only upholds cybersecurity requirements but also supports ongoing open source innovation. Early involvement with the ORC Working Group offers a chance to contribute to the foundational compliance framework that will guide our community and influence how standards are implemented industry-wide. Join us in shaping how the CRA is implemented to set the open source community up for success under these new regulations.
Introducing Our Keynote Speakers at OCX 2024
As we approach the Open Community Experience (OCX), scheduled to take place from 22-24 October in Mainz, Germany, my anticipation and excitement continues to build. This event marks a new chapter for our community, with a fresh conference format that I believe will bring even more value to all of us. The focus on collocated events is something I’m particularly enthusiastic about, as it allows us to explore a broader range of topics including automotive and Java, while EclipseCon remains at the heart of this experience.
Whether you’re a regular EclipseCon attendee or joining us from one of the many communities that make up our “community of communities,” I look forward to connecting with you. For me, our flagship conference is more than just an event—it’s a yearly highlight where I get to reconnect with old friends, make new ones, and engage in the meaningful conversations that drive our collective work forward.
I’m honoured to be delivering the keynote on “The State of the Eclipse Foundation” this year. I’ll be sharing key updates, our vision for the future, and how we plan to continue driving innovation in the open source space. As we celebrate the Eclipse Foundation’s 20th anniversary, it’s a pivotal moment for us, and I’m excited to take you along on this journey.
But it’s not just me you’ll hear from. We’ve lined up a stellar group of keynote speakers, each bringing their unique expertise and deep expertise in their respective fields. Prepare to be inspired by some of the brightest minds in the industry:
- Haibo Chen from Huawei will deliver an exciting session titled “Empowering a Connected Intelligent World With OpenHarmony and Oniro.” This talk will explore how OpenHarmony and Oniro, both open source initiatives, are driving the connected intelligent future.
- Cédric Dumont, an extreme sports athlete and base-jumping pioneer, will provide the inspirational keynote “Scaling New Heights: Emerging trends in performance and leadership for thriving as a team in disruption.”
- Ruth Ikegah, an Open Source Program Manager, acclaimed speaker, and GitHub Star, will deliver her keynote “From Local Roots to Global Impact: Building an Inclusive Open Source Community in Africa.” Ruth will highlight how inclusivity fuels innovation and growth within the global open source community.
- Yann Lechelle from Probabl will take the stage with “Eyes Wide Open, AIs Wide Open – Or How to Remain in Control in the Age of AI,” exploring the big picture implications of compute, data, and machine learning, and how we can stay competitive while safeguarding the values that make us human.
- Sarah Novotny, a leading voice in open source, who has guided projects like Kubernetes, OpenTelemetry, NGINX, and MySQL, will present “We Build Software in the Open to Build Trust.” She’ll discuss the need for transparent and collaborative open source software development and its profound economic and societal impact.
- Leandro von Werra, from Hugging Face, will offer insights into the future of LLMs for code and how the BigCode project is paving the way for open and responsible AI-driven development at the session “BigCode: Building Open LLMs for Code”.
And that’s just the beginning. OCX 2024 is packed with sessions, workshops, and networking opportunities designed to spark innovation, collaboration, and growth. Whether you’re deeply involved in open source software or just beginning your journey, there’s something here for everyone.
I’m genuinely excited about what we’ll experience together at OCX 2024. This is our chance to come together, share our knowledge, and set the stage for the future of open source development. Don’t miss the opportunity to save by taking advantage of early bird pricing—register before 7 October 2024.
See you there!
Securing the Future of Open Source: Launching the Open Regulatory Compliance Working Group
Today marks an important milestone for the open source community. As open source software continues to drive innovation across industries, ensuring its relevance and compliance with emerging regulations has never been more critical.
To address these challenges, the Eclipse Foundation is proud to announce the formal launch of the Open Regulatory Compliance (ORC) Working Group. This initiative is designed to ensure that open source remains a powerful force for innovation while meeting the increasingly complex regulatory requirements that commercial organisations face globally.
As previously announced, this initiative has garnered the support of the world’s open source foundations, including Apache Software Foundation, Blender Foundation, FreeBSD Foundation, Matrix.org Foundation, NLnet Labs, OpenInfra Foundation, OWASP, PHP Foundation, Python Software Foundation, Ruby Central, and Rust Foundation. We also have the support of numerous civil society organisations, industry organisations, and SMEs including CodeDay, iJUG, Obeo, Open Elements, OpenForum Europe, Open Source Initiative, Payara Services, Scanoss, and Software Heritage. Today we are also announcing that we have the support of European industry heavyweights Bosch, Mercedes-Benz, Nokia, and Siemens.
This diverse collaboration highlights the industry’s shared commitment to navigating regulatory changes together and ensuring that open source continues to thrive as a pillar of modern technology.
Securing the Future of Open Source Innovation
In an era where businesses rely on open source for mission-critical applications, the ORC Working Group is essential to maintaining the competitive advantage that comes from using and contributing to open source software. As regulations evolve, commercial organisations need a clear path to stay compliant while continuing to innovate. The ORC Working Group addresses this need by helping to formalise industry-aligned best practices, helping companies leverage the full potential of open source without the risk of falling behind on new regulations.
Immediate Focus: The European Cyber Resilience Act
Open source is a cornerstone of global digital innovation, and Europe’s regulatory landscape is playing a pivotal role in shaping its future. The ORC Working Group is committed to ensuring that open source remains a vital part of the world economy, and complying with the EU’s Cyber Resilience Act (CRA) is a critical part of this. Through collaboration with European institutions, the working group is working to facilitate compliance with the CRA and similar regulations, helping businesses and developers alike stay ahead of the curve.
Keeping Innovation Compliant and Secure
With the Cyber Resilience Act as a primary focus, the ORC Working Group is looking to make progress in developing cybersecurity process specifications and best practices to support compliance. Liaison status with the European Committee for Standardization (CEN) and the European Committee for Electrotechnical Standardization (CENELEC) further strengthens the working group.
Get Involved: Shaping the Future of Open Source Compliance
As the open source ecosystem faces unprecedented regulatory challenges, now is the time for all stakeholders — developers, companies, foundations, and regulatory bodies — to come together and ensure that open source innovation remains sustainable and compliant. The Open Regulatory Compliance (ORC) Working Group offers a unique opportunity to actively shape the future of open source by helping define the standards and best practices that will keep it relevant and competitive in the face of evolving global regulations.
We invite anyone involved in the open source community — whether you’re a developer, legal expert, corporate leader, or part of a standards organisation — to join this critical effort. Your participation will not only help safeguard the future of open source, but also ensure that your organisation stays ahead of the regulatory curve.Join the ORC Working Group and the ORC mailing list today to help define the future of open source compliance.
Strengthening Open Source: Latest Updates from the Open Regulatory Compliance Working Group
Earlier this year, a significant group of open source foundations including Apache Software Foundation, Blender Foundation, PHP Foundation, Python Software Foundation, Rust Foundation, and the Eclipse Foundation – joined forces to launch an exciting new initiative. This initiative aims to help all open source participants navigate and comply with governmental regulations, ensuring the continued use and advancement of open source through the software supply chain.
This initiative is now taking shape through what is now called the Open Regulatory Compliance Working Group, hosted at the Eclipse Foundation. Since our announcement in April, we’ve been tirelessly bootstrapping this group with incredible support from the community. We’ve also welcomed additional backing from both industry and the open source community, including organisations such as CodeDay, FreeBSD Foundation, iJUG, Matrix.org Foundation, NLnet Labs, Obeo, Open Elements, OpenForum Europe, OpenInfra Foundation, OWASP, Payara Services, and Scanoss.
The Open Regulatory Compliance Working Group is bridging a critical gap between regulatory authorities and the open source ecosystem. By collaborating with relevant authorities and standards organisations, the working group aims to formalise industry best practices so they can be properly referenced in legislation and support the authorities in understanding the peculiarities of the open source ecosystem. This ensures that all open source participants can meet regulatory requirements across jurisdictions and improve software quality and security.
While the Open Regulatory Compliance Working Group is chartered to address compliance with open source-impacting requirements in general, our immediate focus is the European Cyber Resilience Act (CRA), which is on the fast track to implementation. The CRA will come into force soon, followed by a three-year transition period for ironing out implementation details. The agenda for the standardisation process in particular is very tight, as the goal of the European Commission is to have the harmonised standards, for which it issued a draft request on April 17, be available a year in advance to give the industry time for implementation. This leaves us with a very limited time to ensure the unique needs of the open source ecosystem are well understood and properly addressed.
We’re addressing this challenge through a series of parallel work streams:
- Educating the Community: We’re hosting a series of webinars with the European Commission to bring the open source community up to speed on the EU’s legislative process.These sessions are recorded and available online. The first session, “How to read the CRA: Identifying the key parts of the CRA for effective compliance” led by Enzo Ribagnac, Associate Director of European Policy at Eclipse Foundation, is already available. Slides from our second session with Benjamin Bögel, Head of Sector for Product Security and Certification Policy at the European Commission, are also available online, with the full recording coming soon. Our third session on CRA Standards with guest speaker Filipe Jones Mourão, Policy Officer at the European Commission, took place on July 29. A fourth session titled “CRA OSS implementation: Guidelines, attestations and other key documents.” is planned for September 2.
- Building an Information Hub: We are creating a centralised hub to consolidate all relevant CRA information in one easily accessible location. This hub will contain educational information, such as recordings of the webinars we have organised, a glossary of terms, key references, and the very useful flow-chart that Maarten Artsen from NLnet Labs has kindly contributed.
- Collaborating with the European Commission: We’re closely working with the European Commission services to foster understanding of the legislative and standardisation timeline so we can create and deliver the right artefacts at the right time. Following what should be the timeline defined in the Commission’s standardisation request, our immediate focus is on the horizontal standard whose content is defined in Annex I, Part I of the CRA, along with the product-specific, vertical standards outlined in Annexes III and IV.
- Pursuing Formal Liaison Status: We are seeking formal liaison status with European and National Standards Organizations to strengthen our collaboration and impact.
- Formalising Governance: We are structuring the working group so as to allow for the development of specifications through a process recognized by the European Union, as well as gather feedback from relevant authorities on the results working group community work. Stay tuned for a formal announcement in September.
- Regular Updates: We will continue to keep the community informed through regular public calls, with the next one scheduled for Tuesday, August 20 at 2pm CEST.
Join us on this transformative journey as we navigate and shape the future of open source regulatory compliance. For more details and to stay updated, join our mailing list or visit our website.
Life at Eclipse 