Earlier this year, a significant group of open source foundations including Apache Software Foundation, Blender Foundation, PHP Foundation, Python Software Foundation, Rust Foundation, and the Eclipse Foundation – joined forces to launch an exciting new initiative. This initiative aims to help all open source participants navigate and comply with governmental regulations, ensuring the continued use and advancement of open source through the software supply chain.
This initiative is now taking shape through what is now called the Open Regulatory Compliance Working Group, hosted at the Eclipse Foundation. Since our announcement in April, we’ve been tirelessly bootstrapping this group with incredible support from the community. We’ve also welcomed additional backing from both industry and the open source community, including organisations such as CodeDay, FreeBSD Foundation, iJUG, Matrix.org Foundation, NLnet Labs, Obeo, Open Elements, OpenForum Europe, OpenInfra Foundation, OWASP, Payara Services, and Scanoss.
The Open Regulatory Compliance Working Group is bridging a critical gap between regulatory authorities and the open source ecosystem. By collaborating with relevant authorities and standards organisations, the working group aims to formalise industry best practices so they can be properly referenced in legislation and support the authorities in understanding the peculiarities of the open source ecosystem. This ensures that all open source participants can meet regulatory requirements across jurisdictions and improve software quality and security.
While the Open Regulatory Compliance Working Group is chartered to address compliance with open source-impacting requirements in general, our immediate focus is the European Cyber Resilience Act (CRA), which is on the fast track to implementation. The CRA will come into force soon, followed by a three-year transition period for ironing out implementation details. The agenda for the standardisation process in particular is very tight, as the goal of the European Commission is to have the harmonised standards, for which it issued a draft request on April 17, be available a year in advance to give the industry time for implementation. This leaves us with a very limited time to ensure the unique needs of the open source ecosystem are well understood and properly addressed.
We’re addressing this challenge through a series of parallel work streams:
- Educating the Community: We’re hosting a series of webinars with the European Commission to bring the open source community up to speed on the EU’s legislative process.These sessions are recorded and available online. The first session, “How to read the CRA: Identifying the key parts of the CRA for effective compliance” led by Enzo Ribagnac, Associate Director of European Policy at Eclipse Foundation, is already available. Slides from our second session with Benjamin Bögel, Head of Sector for Product Security and Certification Policy at the European Commission, are also available online, with the full recording coming soon. Our third session on CRA Standards with guest speaker Filipe Jones Mourão, Policy Officer at the European Commission, took place on July 29. A fourth session titled “CRA OSS implementation: Guidelines, attestations and other key documents.” is planned for September 2.
- Building an Information Hub: We are creating a centralised hub to consolidate all relevant CRA information in one easily accessible location. This hub will contain educational information, such as recordings of the webinars we have organised, a glossary of terms, key references, and the very useful flow-chart that Maarten Artsen from NLnet Labs has kindly contributed.
- Collaborating with the European Commission: We’re closely working with the European Commission services to foster understanding of the legislative and standardisation timeline so we can create and deliver the right artefacts at the right time. Following what should be the timeline defined in the Commission’s standardisation request, our immediate focus is on the horizontal standard whose content is defined in Annex I, Part I of the CRA, along with the product-specific, vertical standards outlined in Annexes III and IV.
- Pursuing Formal Liaison Status: We are seeking formal liaison status with European and National Standards Organizations to strengthen our collaboration and impact.
- Formalising Governance: We are structuring the working group so as to allow for the development of specifications through a process recognized by the European Union, as well as gather feedback from relevant authorities on the results working group community work. Stay tuned for a formal announcement in September.
- Regular Updates: We will continue to keep the community informed through regular public calls, with the next one scheduled for Tuesday, August 20 at 2pm CEST.
Join us on this transformative journey as we navigate and shape the future of open source regulatory compliance. For more details and to stay updated, join our mailing list or visit our website.