Which law affects you?
Four new EU laws fundamentally change how companies must handle open source software. Each of these laws obliges you to actively manage your software supply chain — including the open source components you did not develop yourself.
Find out which law applies to your company.
DORA — Financial sector #
Affected: Banks, insurance companies, payment service providers, investment firms, fund managers, crypto-asset service providers, and their ICT suppliers.
What is at stake: Personal management liability (Art. 5 DORA), daily periodic penalty payments of up to 1% of worldwide daily turnover, public disclosure of all sanction decisions. D&O insurance policies typically do not cover legal violations.
What DORA requires: Open source analyses as an explicit testing method (Art. 25(1)), complete documentation of all ICT third-party risks, exit strategies for every dependency.
NIS2 — Critical infrastructure #
Affected: 18 sectors, from energy to healthcare to digital infrastructure. In Germany: companies with 50 or more employees or EUR 10 million turnover in the relevant sectors.
What is at stake: Fines of up to EUR 10 million or 2% of worldwide annual turnover, prohibition of management activities, public disclosure of violations by the BSI.
What NIS2 requires: Supply chain security as a mandatory measure (Art. 21(2)(d)), vulnerability management and disclosure, measures reflecting the state of the art.
CRA — Software manufacturers #
Affected: All manufacturers of software and connected products placed on the EU market — from desktop applications to IoT devices.
What is at stake: Fines of up to EUR 15 million or 2.5% of worldwide annual turnover, collective actions, EU-wide recall, market loss due to missing CE marking.
What the CRA requires: Five years of security support, SBOM obligation in machine-readable format, reporting of actively exploited vulnerabilities within 24 hours, freedom from known exploitable vulnerabilities.
Product Liability — All software providers #
Affected: All companies that provide software as a product or as part of a product.
What is at stake: Unlimited liability — the previous liability cap has been removed. Data loss is recognised as an independent ground for liability for the first time. Facilitation of burden of proof for injured parties.
What the new Directive requires: Demonstrable due diligence in the selection and maintenance of all software components, documented governance across the entire lifecycle.
Our focus: the open source components of your supply chain #
OTTRIA focuses exclusively on the open source components of your software supply chain. We do not replace your IT security department, your compliance advisors, or your system integrators. Others take care of the rest. What nobody else covers is the systematic maintenance, monitoring, and documentation of the hundreds of open source projects your software depends on.
What this means in practice #
800 projects in the SBOM. That is not an exaggeration — it is everyday reality in regulated companies. 800 projects mean 15 or more programming languages, hundreds of maintainers in different time zones, no SLAs, no contracts, no ability to intervene. And you bear full responsibility for every single one of these components.
Solvable internally? Do the maths: even with a specialised team of five to seven experts — which you would first need to build and retain — you cover at best the most common languages and projects. The less well-known dependencies — and that is the majority — remain unmonitored.