Knowledge: Open Source, Regulation, and Supply Chain Security

Here you will find background articles on the topics relevant to your open source supply chain — from the new EU laws through technical fundamentals to concrete recommendations for action.

Understanding the laws #

• What is DORA? — The Digital Operational Resilience Act for the financial sector
• What is NIS2? — The Network and Information Security Directive for critical infrastructure
• What is the CRA? — The Cyber Resilience Act for software manufacturers
• What is the new Product Liability? — Software as a product, manufacturers on the hook
• ISO/IEC 18974 — The standard for open source security in enterprises

Recognising risks #

• What is an SBOM? — And why it alone is not enough
• Why your SBOM is rotting — The half-life of a software bill of materials
• Silent Fixes — The invisible threat beyond the CVE databases
• Decision Debt — When deferred decisions become risks
• Patch reality in open source — What really happens between vulnerability and fix

Understanding responsibility #

• Open source has no contractual partner — Why SLAs with maintainers do not exist
• Who actually maintains open source? — The reality behind the projects
• D&O liability and the new cyber laws — Personal liability of management
• Digital sovereignty — Why using open source does not equal being sovereign
• Cyber insurance and open source risks — What policies cover and what they do not

Taking action #

• Open source supply chain security — Understanding the full picture
• The steward role in the CRA — What an Open Source Steward delivers
• What does open source compliance cost? — Why in-house solutions are more expensive than you think
• Practical audit preparation — How to prepare for the examination