Open source is now a board-level issue. OTTRIA makes it manageable.
OTTRIA — the Open Source Trust, Threat and Risk Intelligence Alliance — is the European partner for your open source supply chain. New EU legislation holds management personally liable for securing their software supply chain. This includes every open source component in your organisation. OTTRIA closes this gap — with documented processes, measurable results, and audit-ready evidence.
Five laws, one responsibility #
DORA requires financial institutions to perform open source analyses (Art. 25(1)). Personal management liability, periodic penalty payments up to 1% of daily turnover.
NIS2 covers 18 critical infrastructure sectors. Supply chain security is mandatory (Art. 21(2)(d)). Fines up to EUR 10 million.
CRA requires CE marking, a complete SBOM and five years of security updates for all software products. Fines up to EUR 15 million.
Product Liability makes software a product for the first time. No liability cap, reversal of burden of proof where documentation is missing.
GDPR requires the state of the art and lasting resilience (Art. 32(1)). Outdated open source components constitute an independent ground for fines — up to EUR 20 million or 4% of worldwide annual turnover.
Open source is embedded in virtually every enterprise application. The new laws make you responsible — for every single component.
Why existing solutions fall short #
Scanners are a good first step. Catalogue providers help with selected projects. But a typical software bill of materials contains hundreds of entries.
- SCA tools find registered vulnerabilities — but fix none of them. And they miss silent fixes, which occur four to eleven times more frequently than registered CVEs. As long as nobody applies the fix, your system remains vulnerable — without you knowing.
- Catalogue providers support selected end products — such as an end-of-life framework or a legacy distribution. But not their dependencies. The hundreds of libraries those products depend on remain unmonitored — even though you are liable for them too.
- Enterprise support covers popular stacks — but not the thousands of small libraries that hold your software together. When one of those fails, your operations still grind to a halt.
Scanners are Layer 1: visibility. OTTRIA is Layer 2 and 3: intervention and governance.
Three pillars for your open source security #
Risk Intelligence We identify risks before they become public. Through our active participation in open source projects, we detect vulnerabilities, silent fixes, and project decay early — before the public CVE disclosure.
Operational Support We solve problems rather than just flagging them. When a vulnerability needs fixing, we coordinate the fix with the upstream project or create it ourselves. For abandoned projects, we ensure continued maintenance.
Compliance Enablement We deliver the evidence your auditor expects. Risk assessments, remediation histories, SBOMs with maintenance status — audit-ready for DORA, NIS2, and CRA.
Find your entry point #
Financial sector — DORA BaFin licence? Personal management liability and mandatory open source analyses affect you directly. Go to the DORA page
Critical infrastructure — NIS2 18 sectors, fines up to EUR 10 million, personal management liability. Go to the NIS2 page
Software manufacturers — CRA CE marking, five years of security obligations, 24-hour reporting deadlines. Go to the CRA page
All software vendors — Product Liability Software is a product for the first time. No liability cap, reversal of burden of proof where documentation is missing. Go to the Product Liability page
Software service providers and agencies You develop software for clients? Legally, you are the manufacturer — with all obligations under CRA, Product Liability, DORA, and NIS2. Regardless of whether the finished product is distributed under your name or your client's. Go to the service provider overview
All enterprises — GDPR Everyone processes personal data. Art. 32 requires the state of the art and lasting resilience — outdated or unmaintained open source components constitute an independent ground for fines. Documented due diligence has a mitigating effect on fines under Art. 83(2)(d). Go to the GDPR page