No video of the event yet, sorry!

By Brenno de Winter and Hans de Raad

Technical Implementation & Future-Ready Practices

• Understand the critical importance of supply chain security, including practical tools (Dependency-Track, CycloneDX, SPDX).
• Learn how to generate and automate Software Bill of Materials (SBOM) within your CI/CD pipeline.
• Implement secure-by-default configurations and continuous vulnerability scanning (Docker Bench, Trivy).
• Establish efficient Coordinated Vulnerability Disclosure (CVD) processes with clear workflows and communication strategies.
• Review real-world SME case studies and gain actionable insights for future-ready cybersecurity compliance.

The regulatory landscape in Europe is evolving rapidly. The EU Cyber Resilience Act (CRA) and the NIS2 Directive introduce mandatory security, risk management, and transparency obligations for digital products and services—including open source components used commercially. While many of these regulations aim to strengthen cybersecurity and supply chain trust, they pose significant compliance challenges for small businesses, CMS vendors, integrators, and community-driven open source projects.

To help bridge the knowledge and capability gap, this workshop translates complex legal and policy language into actionable technical and governance steps. It leverages insights from the Open Website Alliance (OWA)’s Regulatory Consultancy Baseline Report and is part of OWA’s broader effort to position open source as a secure, responsible, and strategically aligned part of the digital ecosystem.

Objectives

• To demystify CRA and NIS2 requirements for organizations involved in open source software development or commercial distribution.
• To provide practical guidance on secure software development (aligned with NIST SSDF and CRA Annex I).
• To introduce hands-on tools and workflows for SBOM generation, vulnerability disclosure, and compliance self-assessment.
• To help participants identify when and how open source projects may fall under “commercial activity” as defined by CRA Article 16.
• To support readiness for potential CE marking, notified body engagement, and/or critical entity classification under NIS2.

Who Should Attend

• Founders and CTOs of small software vendors
• Open source maintainers and project leads
• Plugin/module developers and CMS integrators
• Digital agencies and SME service providers in the CMS ecosystem
• Legal or compliance officers supporting IT operations in SMEs

Key Takeaways Participants will leave with:

• A clear understanding of the regulatory obligations introduced by CRA and NIS2.
• A practical toolkit for starting or improving secure-by-design development practices.
• Ready-to-use templates for risk assessment, SBOM management, and compliance planning.
• Insights into how non-commercial vs. commercial thresholds affect OSS obligations.
• Guidance on how to join standardization or consultation processes to help shape future rules.