Glossary
Alphabetically sorted overview of all abbreviations, technical terms, and legal references used on this website.
BaFin #
Bundesanstalt für Finanzdienstleistungsaufsicht (Federal Financial Supervisory Authority). The German supervisory authority for the financial sector. In the context of DORA, BaFin is the competent authority overseeing financial institutions' compliance with the regulation in Germany and can impose sanctions.
Betreuungspyramide #
The three-tier model OTTRIA uses to structure open source supply chain security. Layer 1 is visibility (e.g. through SCA tools and SBOM creation). Layer 2 is intervention (fixing vulnerabilities, creating patches, upstream work). Layer 3 is governance (audit-ready documentation, risk assessment, compliance evidence). OTTRIA covers Layers 2 and 3, complementary to existing scanner solutions.
BSI #
Bundesamt für Sicherheit in der Informationstechnik (Federal Office for Information Security). The competent authority in Germany for the implementation and enforcement of the NIS2 Directive. Affected companies must register with the BSI (Section 33(1) NIS2UmsuCG).
Bug Bounty #
A programme in which security researchers receive a financial reward for responsibly reporting vulnerabilities in software. OTTRIA funds bug bounty programmes for open source projects included in clients' SBOMs, and as a sponsor receives reports directly.
CE marking #
Conformity marking confirming that a product meets the essential requirements of the relevant EU legislation. The CRA requires CE marking for software for the first time (Art. 29, 30 CRA). Open Source Stewards are not permitted to affix CE marking (Recital 19 CRA).
Community effect #
OTTRIA's scaling principle: projects appearing in the SBOMs of multiple clients are managed collectively. The more clients OTTRIA has, the better the coverage for everyone, because the maintenance effort is distributed across multiple customers.
CRA #
Cyber Resilience Act. Regulation (EU) 2024/2847. Introduces mandatory cybersecurity requirements for all products with digital elements placed on the EU market. Key elements: CE marking for software, SBOM obligation, at least five years of security support, 24-hour vulnerability reporting deadlines. Contains the definition of the open source software steward in Art. 3 No. 14. Applies directly in all EU member states. Reporting obligations apply from 11 September 2026, full application from 11 December 2027.
CSIRT #
Computer Security Incident Response Team. In the NIS2 context, a nationally designated CSIRT acts as coordinator for coordinated vulnerability disclosure (Art. 12(1) NIS2). The CSIRT mediates between vulnerability reporters and manufacturers and coordinates disclosure.
CVE #
Common Vulnerabilities and Exposures. A standardised system for identifying and naming publicly known security vulnerabilities in software. Each registered vulnerability receives a unique CVE number. SCA tools check software components against CVE databases. For every registered CVE, there are on average 4 to 11 silent fixes not captured in any database.
D&O #
Directors and Officers. Refers to the liability insurance for managing directors and board members. D&O insurance policies typically exclude wilful legal violations. Since DORA and NIS2 establish personal obligations for management, inaction can be deemed a legal violation not covered by the D&O policy.
Decision Debt #
Deferred architecture and design decisions in software projects that lead to growing security risk. Examples: outdated cryptography libraries, insecure build systems, API redesigns never implemented. Decision Debt is more dangerous than registered CVEs because it is not captured in any database and is not detected by any scanner.
GDPR #
General Data Protection Regulation, Regulation (EU) 2016/679. Directly applicable law in all member states since 25 May 2018. Particularly relevant for open source governance are the principles under Art. 5 (integrity and confidentiality, accountability), data protection by design under Art. 25, security of processing under Art. 32 (state of the art, resilience "on a permanent basis", regular review), the 72-hour notification deadline under Art. 33, and fine assessment under Art. 83, which expressly considers documented TOMs under Art. 25 and 32 as a mitigating factor.
DORA #
Digital Operational Resilience Act. Regulation (EU) 2022/2554. Applicable since January 2025 to 21 categories of financial institutions and their ICT third-party service providers. Key requirements: ICT risk management under board responsibility, complete ICT asset inventory, open source analyses as an explicit mandatory testing method (Art. 25(1)), personal liability of the management body (Art. 5(2a)). Applies directly in all EU member states.
ENISA #
European Union Agency for Cybersecurity. Among other things, develops and maintains the European vulnerability database (Art. 12(2) NIS2) and publishes implementation guidelines on NIS2, including specific guidelines on handling open source software.
EWG (Recital) #
Recitals are the introductory sections of an EU regulation or directive that explain the objectives and context of the individual provisions. They are not directly legally binding but serve for the interpretation of legal articles. On this website referenced as "EWG" followed by the number, e.g. EWG 18-20 CRA on the scope of the open source application area.
FOSS #
Free and Open Source Software. The CRA defines FOSS as software whose source code is openly shared and that is available under a free open source licence (Art. 3 No. 48 CRA). Manufacturers must exercise due diligence when integrating FOSS components (Art. 13(5) CRA).
ICT #
Information and Communication Technology. The central umbrella term in DORA for all IT-related systems, services, and processes. DORA requires, among other things, a comprehensive ICT risk management framework (Art. 6), inventory of all ICT assets (Art. 8), and management of ICT third-party risks (Art. 28).
ISO/IEC 18974 #
International standard for open source security assurance (ISO/IEC 18974:2023). Defines 16 core requirements for an open source security programme in the areas of governance, detection, vulnerability management, and SBOM maintenance. Considered a reference for the "state of the art" referenced by DORA (Art. 6(2)), NIS2 (Art. 21(1)), and the CRA (Recital 34). Certification is through the OpenChain programme.
NIS2 #
Network and Information Security Directive. Directive (EU) 2022/2555. Affects companies in 18 sectors of critical and important infrastructure. Key requirement for the open source supply chain: supply chain security as a mandatory measure (Art. 21(2)(d)), including assessment of vulnerabilities and development processes of direct suppliers (Art. 21(3)). Personal liability of management bodies (Art. 20(1)). Fine framework: up to EUR 10 million or 2% of worldwide annual turnover for essential entities.
NIS2UmsuCG #
NIS-2-Umsetzungs- und Cybersicherheitsstaerkungsgesetz. The German national transposition of the NIS2 Directive. Contains, among other things, personal liability of management for damages (Section 38(2)), a three-tier categorisation (particularly important entities, important entities, operators of critical facilities), and the registration obligation with the BSI (Section 33(1)).
Open Source Steward #
A new legal category created by the CRA. Defined in Art. 3 No. 14 CRA as a legal person that is not a manufacturer and systematically and sustainably supports the development of specific open source products intended for commercial activities. Obligations under Art. 24 CRA: documented cybersecurity strategy, vulnerability management, cooperation with authorities, reporting obligations. Stewards are expressly exempt from fines (Art. 64(10b) CRA). OTTRIA voluntarily registers as an Open Source Steward.
OTTRIA #
Open Source Trust, Threat and Risk Intelligence Alliance. A European service provider for securing open source supply chains. OTTRIA does not create SBOMs but evaluates existing software bills of materials and identifies risks, outdated components, and critical dependencies within them. OTTRIA registers as an Open Source Steward under the CRA and actively participates in open source projects.
Product Liability Directive (Directive 2024/2853) #
Directive (EU) 2024/2853. The new EU Product Liability Directive, which defines software as a product under liability law for the first time (Art. 4 No. 1). Key changes compared to the predecessor directive of 1985: data loss as a ground for liability (Art. 6(1)(c)), cybersecurity as a defect criterion (Art. 7(2)(f)), no cap on total liability (Art. 12), facilitation of burden of proof in cases of technical complexity (Art. 10), disclosure obligation for evidence (Art. 9). Must be transposed nationally.
Responsible Disclosure #
Coordinated vulnerability disclosure. A process in which a security researcher confidentially reports a discovered vulnerability to the maintainers or manufacturer and waits an agreed period before the vulnerability is made public. Common timeframes are 28, 30, or 90 days. DORA requires communication plans for responsible disclosure in Art. 14(1). NIS2 regulates coordinated disclosure at EU level in Art. 12. The CRA requires coordinated vulnerability disclosure in Annex I Part II No. 5.
SBOM #
Software Bill of Materials. A machine-readable inventory of all components contained in a software product. The CRA defines the SBOM as a "formal record of the details and supply chain relationships of the components" (Art. 3 No. 39). SBOM creation is legally mandated (CRA Annex I Part II No. 1, Art. 13(24)). An SBOM alone is not a security tool but an inventory that requires continuous assessment and maintenance.
SCA #
Software Composition Analysis. Tools that check software components against vulnerability databases (CVE, NVD, GitHub Security Advisories). SCA tools only find registered, reported vulnerabilities. They do not detect silent fixes, Decision Debt, or project decay. SCA tools form Layer 1 (visibility) in the support pyramid.
Silent Fix #
A security fix that is incorporated into the source code of an open source project without a public vulnerability report (CVE) being filed. Studies show that for every registered CVE, there are on average 4 to 11 silent fixes. Silent fixes are invisible to SCA tools because they are not captured in any vulnerability database.
TLPT #
Threat-Led Penetration Testing. Tests mandated by DORA that must be conducted every three years and must also involve ICT third-party service providers (Art. 26 DORA). TLPT simulate realistic attack scenarios based on current threat intelligence.
Whole-of-IT #
A regulatory approach in which the obligations for risk control cover not only the organisation's own software but the entire IT stack, including all open source components, transitive dependencies, and the services of ICT third-party service providers. DORA and NIS2 follow this approach (DORA Art. 28, NIS2 Art. 21(2)(d), CRA Art. 13(5)).