BRUSSELS – 24 September 2024 – The Eclipse Foundation, one of the world’s largest open source foundations, has announced the formation of the Open Regulatory Compliance Working Group (ORC WG). This pioneering initiative aims to support participants across the global open source community—including developers, enterprises, industries, and open source foundations—in navigating and adhering to evolving regulatory frameworks. Additionally, the working group will work closely with governments and regulatory bodies to enhance their understanding of the unique open source development model. Supported by prominent open source foundations and global technology leaders, this collaborative effort is dedicated to advancing the open source model in an increasingly regulated software supply chain.
“Given the impact of software technology on the global economy, it is unsurprising that governments worldwide are enacting new regulations to safeguard privacy, security, and accessibility,” said Mike Milinkovich, executive director of the Eclipse Foundation.“The Open Regulatory Compliance Working Group was created to bridge the gap between regulatory authorities and the open source ecosystem, ensuring organisations and developers can leverage open source technologies while remaining compliant with evolving global regulations.”
The newly established working group is committed to formalising industry best practices and offering essential resources to help organisations navigate regulatory requirements across multiple jurisdictions. Additionally, it aims to assist government entities in providing greater legal certainty to the open source ecosystem and software supply chain.
Through collaboration and guidance, the group seeks to elevate software quality and security in open source projects. Backed by the Eclipse Foundation's strong commitment to open source supply chain security, the working group leverages a team of expert security professionals and rigorous processes. As a CVE Numbering Authority, the Eclipse Foundation plays a key role in effective vulnerability management, ensuring that security remains a top priority for all contributors, projects, and users within the ecosystem.
While the Open Regulatory Compliance Working Group is chartered to address compliance with open source-impacting requirements in general, its immediate focus is the European Cyber Resilience Act (CRA). With the CRA rapidly approaching implementation, the working group’s immediate efforts are centred on ensuring compliance with this new legislation.
Current Initiatives:
- Process Specifications: Development of cybersecurity process specifications and best practices aligned with the requirements of the CRA.
- Collaboration with European Authorities: The working group actively engages with the various European institutions to understand legislative timelines and produce timely compliance materials, with a primary focus on the CRA.
- Formalising Standards Participation: Having secured formal liaison status with the European Committee for Standardization (CEN) and the European Committee for Electrotechnical Standardization (CENELEC), the working group is actively pursuing working relationships with other European and National Standards Organizations to expand its contribution on regulatory standards.
- Community and Industry Education: A series of webinars with European Commission staff aims to keep the open source community informed about the EU’s legislative process. Recordings and materials, including sessions like "How to Read the CRA" led by Enzo Ribagnac, Associate Director for European Policy at Eclipse Foundation, are available here.
- Centralised Information Hub: The working group is developing a central resource to house all relevant CRA-related content, including webinars, glossaries, flowcharts, and FAQs to inform EU guidelines.
Collaborative Engagement:
The working group has garnered significant support from a broad range of open source organisations and private companies. As of the date of this announcement, participant organisations include: Apache Software Foundation (ASF), Blender Foundation, Robert Bosch GmbH, CodeDay, The Document Foundation, FreeBSD Foundation, iJUG, Lunatech, Matrix.org Foundation, Mercedes-Benz Tech Innovation GmbH, Nokia, NLnet Labs, Obeo, Open Elements, OpenForum Europe, OpenInfra Foundation, Open Source Initiative (OSI), Open Source Robotics Foundation (OSRF), OWASP, Payara Services, The PHP Foundation, Python Software Foundation, Rust Foundation, SCANOSS, Siemens, and Software Heritage.
For more information on joining the Open Regulatory Compliance Working Group, visit the participation page.
Member Quotes:
Apache Software Foundation (ASF)
“The CRA will impact open source users and producers alike. Legislators will benefit from the brain trust of open source organisations that Eclipse has brought together to ensure that the legislation is crafted in a way that protects all parties. The Apache Software Foundation is committed to safeguarding our digital future by addressing the multifaceted challenges of cybersecurity in the open source ecosystem, and cooperating with and implementing the CRA.” – David Nalley, President of the Apache Software Foundation
“Bosch supports the EU Cyber Resilience Act (CRA) as a harmonised cybersecurity framework, but also recognizes the crucial role of open-source software (OSS) in its supply chain. Thus, it is vital to regulate the use of OSS in a reasonable way. This requires new processes for OSS due diligence, developed through close collaboration between OSS stewards and manufacturers. We welcome the Eclipse Foundation's initiative to provide software security specifications aligned with open-source practices. We are convinced that by bringing together industry leaders, SMEs, researchers, and OSS experts, we will be able to develop processes that meet regulations while also supporting open development. We also expect these processes to serve as blueprints for the upcoming EU Data and AI Act and future regulations.” – Dr. Andreas Nauerz - Executive Vice President at Robert Bosch GmbH
“The Document Foundation participates in the Open Regulatory Compliance Working Group because it believes that the development of common best practices for the security of open source software is an important factor in the recognition of FOSS as a key element of the global information technology infrastructure and compliance with laws such as the Cyber Resilience Act in the EU.” - Italo Vignoli, Director at The Document Foundation
The FreeBSD Foundation is proud to participate in the Open Regulatory Compliance Working Group. This initiative is key to helping developers and organisations continue innovating while navigating complex global regulations like the European Cyber Resilience Act. We believe collaboration within the open source community is essential to overcoming these challenges, and we’re excited to contribute to this important effort.” – Deb Goodkin, Executive Director of the FreeBSD Foundation
“We support the mission of the Open Regulatory Compliance Working Group to help shape the future of secure software development in Europe, together with the European Commission, Open Source foundations and other industry players.” – Jochen Strenkert, Chief Engineer MB.OS
“Open source communities and the software they produce are ever more important for the whole industry. This is exactly why for Nokia the wellbeing and sustainability of the open source communities is paramount. The European Union Cyber Resilience Act (CRA) brings potential new requirements to the open source communities. Nokia strongly believes that the targets of the EU CRA and the best outcome can only be achieved by the open source community having a strong voice in this process. We believe that the Open Regulatory Compliance Working Group is the way to achieve this. Therefore, Nokia is honoured to join the ORC WG. We are looking forward to working as part of the community to ensure getting the best possible outcome of the EU CRA for everybody.” – Jonne Soininen, Head of Open Source Initiatives at Nokia
"As an SME with open-source in its DNA and a strategic member of the Eclipse Foundation, Obeo is thrilled to join the Open Regulatory Compliance Working Group. Collaborating with major industry players in critical and strategic sectors, we believe that open innovation is essential for navigating the evolving regulatory landscape. We stress the importance of new regulations recognizing the unique nature of this model to ensure that communities continue to thrive while complying with governmental requirements." – Cédric Brun, President of Obeo
The Open Source Initiative (OSI)
“Compliance with the Cyber Resilience Act and other upcoming legislation poses a new challenge for the Open Source community. The Open Regulatory Compliance Working Group gives us an opportunity to find solutions together, and to work with lawmakers and regulatory bodies to help them better understand Open Source. We very much look forward to contributing to the working group.” – Stefano Maffulli, Executive Director at OSI
Open Source Robotics Foundation (OSRF)
“The OSRF is pleased to be involved in the Open Regulatory Compliance Working Group. As well as finding and creating best practices and methodologies for open-source projects to follow when complying with the EU’s new Cyber Resilience Act, the outputs of this working group will enable open-source projects, including in robotics, to also comply with other existing and future regulations that create a safer and more secure world for all. We are honoured to be working with other open-source foundations on this critical task.” – Geoff Biggs, CTO at the Open Source Robotics Foundation
“At Payara, we are proud to be an active participant in the Open Regulatory Compliance Working Group (ORC WG). By collaborating with other ORC WG members, we will contribute to the development of best practices, guidelines, and standards that will help the open-source community meet evolving regulatory requirements, starting with the European Cyber Resilience Act (CRA). We believe that the implementation of these regulations is essential for ensuring safer software and robust protection for users and enterprises worldwide. Our active participation in this working group underscores our dedication to keeping open-source solutions a trusted choice for companies globally.” – Steve Millidge, Founder at Payara Services Ltd
“We're delighted to be joining the Open Regulatory Compliance Working Group. With new regulations such as the Cyber Resilience Act (CRA) on the horizon, it's great to be working with other Open Source foundations. We'll share what we know about building secure software and learn from one another. Our goal is simple: to help make these new regulations work for everyone, without stifling the creativity that makes Open Source so great.” – Roman Pronskiy, Executive Director at the PHP Foundation
The safety and security of Python is important to all our users for different reasons, but the recent Cyber Resilience Act (CRA) has created a sharp incentive to work on a collective understanding of best practices for all stakeholders. We appreciate the opportunity to share and collaborate on these topics with our open source peers via the Open Regulatory Compliance Working Group. -- Deb Nicholson, Executive Director at Python Software Foundation
“The Rust Foundation is delighted to join the Open Regulatory Compliance Working Group. We look forward to working collaboratively with key Open Source and Industry stakeholders to ensure that emerging and evolving regulation is high quality, accommodating of the unique and valuable features of Open Source, and fit for purpose.“ – Rebecca Rumbul, Executive Director & CEO, Rust Foundation
"Every day, we see the growing need for regulatory tools and robust supply chain security. SCANOSS is dedicated to providing the most comprehensive Open Source detection and SBOM solution, helping organisations mitigate risk and comply with regulations like the CRA. We are honoured to join the Eclipse Foundation in leading this effort to ensure the security and resilience of the open source software supply chain." – Alan Facey, CEO at SCANOSS
"Open source technologies are embedded in and vital to many of our solutions. Through our involvement in the Open Regulatory Compliance Working Group, we actively shape standards to ensure compliance with evolving regulations." – Oliver Fendt, Senior Manager Open Source at Siemens
"The mission of Software Heritage, launched by Inria and in partnership with UNESCO, is to collect, preserve and share all publicly available software source code. With over 50 billion software artefacts secured through the Software Hash Identifier (SWHID) specification, we guarantee long-term availability, ensure integrity, and enable traceability across the entire software ecosystem. As a foundational non profit open infrastructure for software integrity and compliance, we are excited to join the Open Regulatory Compliance Working Group to support the evolving regulatory landscape and ensure the open source ecosystem thrives." – Roberto Di Cosmo, co-founder and director, Software Heritage
About the Eclipse Foundation
The Eclipse Foundation provides our global community of individuals and organisations with a business-friendly environment for open source software collaboration and innovation. We host the Eclipse IDE, Adoptium, Software Defined Vehicle, Jakarta EE, and over 415 open source projects, including runtimes, tools, specifications, and frameworks for cloud and edge applications, IoT, AI, automotive, systems engineering, open processor designs, and many others. Headquartered in Brussels, Belgium, the Eclipse Foundation is an international non-profit association supported by over 360 members. Visit us at this year’s Open Community Experience (OCX) conference on 22-24 October 2024 in Mainz, Germany. To learn more, follow us on social media @EclipseFdn, LinkedIn, or visit eclipse.org.
Third-party trademarks mentioned are the property of their respective owners.
###
Media contacts:
Schwartz Public Relations for the Eclipse Foundation, AISBL (Germany)
Gloria Huppert/Marita Bäumer
Sendlinger Straße 42A
80331 Munich
EclipseFoundation@schwartzpr.de
+49 (89) 211 871 -70/ -62
Nichols Communications for the Eclipse Foundation, AISBL
Jay Nichols
+1 408-772-1551
514 Media Ltd for the Eclipse Foundation, AISBL (France, Italy, Spain)
Benoit Simoneau
M: +44 (0) 7891 920 370