No video of the event yet, sorry!

By Brenno de Winter and Hans de Raad

Setting the Regulatory Stage

• Gain clarity on key cybersecurity regulations (NIS2 & CRA) affecting SMEs using open-source software.
• Understand critical compliance obligations, including risk management, incident reporting, and supply-chain security.
• Explore the accountability framework emphasizing director-level liability and structured governance.
• Learn about EU cybersecurity standards, including horizontal (CEN-CENELEC JTC 13 WG 9) and vertical sector-specific standards (ETSI TC CYBER).
• Discover practical SME resources and initiatives like CyberStand.eu and EU Cybersecurity Certification (EUCC).

The regulatory landscape in Europe is evolving rapidly. The EU Cyber Resilience Act (CRA) and the NIS2 Directive introduce mandatory security, risk management, and transparency obligations for digital products and services—including open source components used commercially. While many of these regulations aim to strengthen cybersecurity and supply chain trust, they pose significant compliance challenges for small businesses, CMS vendors, integrators, and community-driven open source projects.

To help bridge the knowledge and capability gap, this workshop translates complex legal and policy language into actionable technical and governance steps. It leverages insights from the Open Website Alliance (OWA)’s Regulatory Consultancy Baseline Report and is part of OWA’s broader effort to position open source as a secure, responsible, and strategically aligned part of the digital ecosystem.

Objectives

• To demystify CRA and NIS2 requirements for organizations involved in open source software development or commercial distribution.
• To provide practical guidance on secure software development (aligned with NIST SSDF and CRA Annex I).
• To introduce hands-on tools and workflows for SBOM generation, vulnerability disclosure, and compliance self-assessment.
• To help participants identify when and how open source projects may fall under “commercial activity” as defined by CRA Article 16.
• To support readiness for potential CE marking, notified body engagement, and/or critical entity classification under NIS2.

Who Should Attend

• Founders and CTOs of small software vendors
• Open source maintainers and project leads
• Plugin/module developers and CMS integrators
• Digital agencies and SME service providers in the CMS ecosystem
• Legal or compliance officers supporting IT operations in SMEs

Key Takeaways Participants will leave with:

• A clear understanding of the regulatory obligations introduced by CRA and NIS2.
• A practical toolkit for starting or improving secure-by-design development practices.
• Ready-to-use templates for risk assessment, SBOM management, and compliance planning.
• Insights into how non-commercial vs. commercial thresholds affect OSS obligations.
• Guidance on how to join standardization or consultation processes to help shape future rules.