No video of the event yet, sorry!

By Brenno de Winter and Hans de Raad

The regulatory landscape in Europe is evolving rapidly. The EU Cyber Resilience Act (CRA) and the NIS2 Directive introduce mandatory security, risk management, and transparency obligations for digital products and services—including open source components used commercially. While many of these regulations aim to strengthen cybersecurity and supply chain trust, they pose significant compliance challenges for small businesses, CMS vendors, integrators, and community-driven open source projects.

To help bridge the knowledge and capability gap, this workshop translates complex legal and policy language into actionable technical and governance steps. It leverages insights from the Open Website Alliance (OWA)’s Regulatory Consultancy Baseline Report and is part of OWA’s broader effort to position open source as a secure, responsible, and strategically aligned part of the digital ecosystem.

Objectives

To demystify CRA and NIS2 requirements for organizations involved in open source software development or commercial distribution.

To provide practical guidance on secure software development (aligned with NIST SSDF and CRA Annex I).

To introduce hands-on tools and workflows for SBOM generation, vulnerability disclosure, and compliance self-assessment.

To help participants identify when and how open source projects may fall under “commercial activity” as defined by CRA Article 16.

To support readiness for potential CE marking, notified body engagement, and/or critical entity classification under NIS2.

Who Should Attend

Founders and CTOs of small software vendors

Open source maintainers and project leads

Plugin/module developers and CMS integrators

Digital agencies and SME service providers in the CMS ecosystem

Legal or compliance officers supporting IT operations in SMEs

Key Takeaways

Participants will leave with:

A clear understanding of the regulatory obligations introduced by CRA and NIS2.

A practical toolkit for starting or improving secure-by-design development practices.

Ready-to-use templates for risk assessment, SBOM management, and compliance planning.

Insights into how non-commercial vs. commercial thresholds affect OSS obligations.

Guidance on how to join standardization or consultation processes to help shape future rules.

Format

1-day workshop (or 2 × 3-hour sessions)

Mix of expert presentations, group exercises, and live tooling demos

Optional hands-on lab: generating and validating SBOMs with CycloneDX, Dependency-Track, and Aranei