Laws and Regulations
The following EU laws and national transpositions concern the security of open source components in your software supply chain. We have compiled the articles and provisions relevant to open source governance in their official wording.
EU regulations are officially published and freely available. The texts reproduced here correspond to the official English wording.
DORA - Digital Operational Resilience Act #
Regulation (EU) 2022/2554. Directly applicable in all EU Member States. Applies to financial entities and their ICT service providers. DORA expressly names "open source analyses" as a testing method (Art. 25(1)). Depending on interpretation and regulatory development, open source analyses may also become the state of the art under other laws.
Relevant articles in official wording
NIS2 - Network and Information Security Directive #
Directive (EU) 2022/2555, transposed in Germany as the NIS2UmsuCG (NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz). Applies to 18 sectors of critical and important infrastructure. Art. 21 defines the supply chain security obligations.
Relevant articles in official wording
CRA - Cyber Resilience Act #
Regulation (EU) 2024/2847. Directly applicable in all EU Member States. Contains the definition of the "open source software steward" in Art. 3 No. 14 and the steward obligations in Art. 24-25. For OTTRIA, the central law.
Relevant articles in official wording
Product Liability Directive #
Directive (EU) 2024/2853. Must be transposed nationally. For the first time defines software as a product and data loss as grounds for liability. No cap on total liability.
ISO/IEC 18974 #
International standard for open source security assurance. Defines the "state of the art" for securing open source components. ISO standards are copyright-protected and cannot be reproduced verbatim. The underlying OpenChain Security Assurance Specification is freely available.
Note #
The legal texts reproduced here are excerpts. They do not replace reading the full legal text. For binding information, consult your legal department.