At the end of October 2025, the Linux Foundation Europe, OpenSSF, and CEPS brought together developers, maintainers, policymakers, and industry leaders for conversations on open source, security, and Europe’s digital future. Through keynotes, workshops, and policy-focused sessions, the week created much-needed clarity around the Cyber Resilience Act (CRA) and, more broadly, the EU cybersecurity policy, how it affects the open source ecosystem, and where contributors can find practical support.
Linux Foundation Europe Roadshow — Ghent (29 October)
The Roadshow featured two parallel tracks:
- Cybersecurity and CRA readiness track led by OpenSSF
- Digital commons track highlighting projects and ecosystem-wide discussions.
What the CRA Means for Developers & Stewards: Greg Kroah-Hartman, The Linux Foundation
Greg opened the morning by breaking down what the CRA covers, what falls outside its scope, and how responsibilities differ for contributors, stewards, manufacturers, and integrators. He walked attendees through lifecycle requirements, SBOM expectations, product classifications, steward obligations, and the timeline leading to full application in 2027.
CRA Simplified and Non-Scary for OSS Contributors: Roman Zhukov, Red Hat
Roman focused on addressing misunderstandings and easing concerns for maintainers. He highlighted how foundations, expert groups, and the wider community are working to support contributors with checklists, guidance, and tools such as OpenSSF Scorecard, GUAC, Trustify, OSCAL, and resources from the OpenSSF Global Cyber Policy WG.
Upstream Collaboration For The Win (of the CRA)! – Georg Kunz, Ericsson
Georg Kunz explained how the Cyber Resilience Act requires users of open source software to contribute security fixes back upstream, and he argued that strong upstream engagement and collaboration were essential for easing CRA compliance. The talk highlighted how effective collaboration could reduce friction, outlined the shared challenges ahead for industry and open source communities, and proposed ways to address them together.
Getting CRA-Ready: Lessons from a Major European Tech Company: Timo Perala, Nokia
Timo shared how a large European organization is preparing for CRA compliance, outlining real-world challenges and the internal processes being updated to meet the regulation by 2027. His talk offered insight into how enterprises are approaching readiness from both technical and governance perspectives.
Cybersecurity Strategy in the Face of Global Digital Regulation – Christopher “CRob” Robinson, OpenSSF
CRob discussed the broader regulatory context including CRA, NIS2, and global trends, and how open source communities can adapt without losing agility. He emphasized that security and regulation must be connected to existing workflows, not treated as separate or conflicting priorities.
CRA Working Sessions (Parts 1 & 2)
Led by Megan Knight (Arm), Daniel Appelquist (Samsung), Roman Zhukov (Red Hat), Timo Perala (Nokia), and Mike Bursell (Confidential Computing Consortium), these sessions gathered input from attendees and aligned the Awareness, Standards, and Tooling SIGs on shared priorities for 2026.
LF Europe Roadshow Reflections
Gabriele Columbro, General Manager, Linux Foundation Europe & Executive Director, FINOS
“The LF Europe Roadshow in Ghent reinforced that open source is at the core of Europe’s digital sovereignty. The OpenSSF and CRA sessions showed how much progress we make when developers, companies, policymakers, and foundations sit together and solve problems in the open. Europe doesn’t need ‘European open source’; it needs a strong ecosystem built on global, openly governed technologies. When local companies and infrastructure providers build and contribute influencing the global open source commons, Europe moves faster. Seeing the whole community aligned on that made the impact of this gathering clear.”
Christopher Robinson (aka CRob), Chief Security Architect, Open Source Security Foundation (OpenSSF)
“It was an honor to have participated in the LF Europe Roadshow with our peers in LF Europe as a follow-up on our 2024 Stewards and Manufacturers Workshop. It was amazing to gather with our members and the open source community to continue our collaboration around helping these two important groups prepare for the upcoming deadlines for the CRA.”
European Open Source Security Forum — Brussels (30 October)
Co-hosted by OpenSSF and CEPS, the European Open Source Security Forum brought EU policymakers, researchers, and open source security experts together for a full day of discussion on cybersecurity regulatory landscape and digital sovereignty. The day opened with welcome remarks from Lorenzo Pupillo (CEPS) and Mirko Boehm (Linux Foundation Europe), followed by keynotes from Raluca Stefanuc (European Commission), Kreshnik Rexha (IBM), and Piotr Ciepiela (EY). A Q&A panel moderated by Mirko followed, where speakers expanded on their keynote topics and answered audience questions.
The European Cybersecurity Strategy and the Role of Open Source Software – Madalin Neag (OpenSSF)
Madalin outlined how NIS2, DORA, RED DA and CRA intersect, explained the role of open source software in this complex regulatory landscape, and provided practical guidance for preparing for these frameworks collectively instead of treating them as separate compliance tracks.
Panel: Open Source Software and Changing Regulatory Landscape in the EU
Speakers James Lovegrove (Red Hat), Sachiko Muto (OpenForum Europe), Benjamin Bögel (European Commission), and Jeremy Rollison (Microsoft) expanded on Madalin’s points and explored the challenges and opportunities created by Europe’s evolving regulatory environment.
Panel: Open Source and Quantum Security
Lorenzo Pupillo (CEPS), Fabiana Da Pieve (European Commission), Matt Caswell (OpenSSL Foundation), and Bart Preneel (KU Leuven) discussed how quantum technologies could transform industries, and how quantum computing could break widely used encryption. The panel looked at the role of open source in moving toward a quantum secure future, including how the community helps address new security risks and supports developing, testing, and deploying quantum safe cryptographic solutions.
Open Ecosystems are Sovereign: Gabriele Columbro (Linux Foundation Europe & FINOS)
Gabriele highlighted that sustainable open source requires healthy project lifecycles, real-world deployments, and avoidance of new forms of lock-in. He highlighted that true digital sovereignty comes from open collaboration and interoperability, not isolation.
The Case for an EU Sovereign Tech Fund: Felix Reda (GitHub)
Felix Reda highlighted that digital sovereignty, competitiveness, and cybersecurity require supporting the maintenance and sustainability of open source infrastructure. He presented a new feasibility study that provides the blueprint for a European Sovereign Tech Fund and noted that coordinating public and private initiatives can simplify CRA compliance and build trust between open source projects and software manufacturers.
Panel: No Regulation Without Education: Tackling the Global Cyber Skills Gap in Light of the CRA
Christopher Robinson (CRob) (OpenSSF), Michaela Klopstra (Accenture), Hilary Carter (Linux Foundation Research), and Georg Kunz (Ericsson) addressed the cybersecurity skills gap and the importance of education in meeting CRA requirements, and, more generally, in strengthening the cybersecurity domain.
Fireside Chat: Open Source AI
Gabriele Columbro (LF Europe & FINOS) and Ben Burtenshaw (Hugging Face) discussed openness, trust, and the future of AI ecosystems. The session focused on Ben’s work in building and sharing high quality AI datasets and his contributions to the open source community, including tools, community projects, and educational resources.
Closing Remarks: Steve Fernandez (OpenSSF)
Steve (OpenSSF) closed the Forum by reflecting on the importance of cooperation between policymakers, industry, and open source communities.
European Open Source Security Forum – Reflections
Lorenzo Pupillo, Associate Senior Research Fellow and Head of the Cybersecurity at CEPS Initiative, CEPS
“Great Event! Very good content and very productive dialogue between European Commission, private sector and Open source community”
Mirko Boehm, Senior Director for Community Development, Linux Foundation Europe
“The European Open Source Security Forum demonstrated effective dialogue between policymakers and the open source cybersecurity community: technical experts and policy stakeholders engaging on substance rather than abstractions. The discussions addressed the real challenge, namely how Europe’s regulatory framework can strengthen open source security without inadvertently undermining the collaborative fabric that makes it work. Events like this build the institutional relationships between regulators, industry and communities required for sustained cybersecurity improvements.”
Madalin Neag, OpenSSF EU Policy Advisor, The Linux Foundation
“I felt truly privileged to be part of the European Open Source Security Forum, such an inspiring gathering of policymakers, industry leaders, and open source experts shaping the future of cybersecurity in Europe. It was an honor to connect, share ideas, and engage with Europe’s leading voices driving innovation and policy in this space. The discussions illustrated both the challenges and opportunities in Europe’s evolving regulatory landscape, and underscored the critical role of open source in shaping secure and resilient digital ecosystems. This event was an excellent opportunity to reiterate once more OpenSSF’s continuous commitment to contributing to EU policy and advancing open innovation across Europe.”
Steve Fernandez, OpenSSF General Manager, The Linux Foundation
“It’s events like this that bring policy makers, maintainers, developers, and industry together to better the security community. The work accomplished and shared over the last couple of days drives a more secure future.”
Why This Week Matters
Across Ghent and Brussels, discussions covered the whole EU cybersecurity strategy and the practical implications of CRA. Speakers explored what these frameworks mean in practice for developers, maintainers, stewards, and manufacturers, including SBOM expectations, vulnerability management, secure development practices, documentation, and the standards that will contribute to the future compliance.
Throughout the week, panels and working groups emphasized the importance of aligning policy and implementation, aligning regulatory intent with technical realities, identifying where clearer guidance is needed, and highlighting opportunities for the open source community to lead. Together, these conversations reinforced Europe’s next steps toward a more resilient digital ecosystem having open source at its core: turning policy into practical action, strengthening collaboration between policymakers and practitioners, and continuing to invest in secure and interoperable open ecosystems.
OpenSSF’s tools and resources were featured as tangible resources supporting this readiness, alongside insights from the OpenSSF Global Cyber Policy WG. Looking ahead, OpenSSF will continue helping translate policy into practice through tooling, training, standards engagement, and community driven collaboration across Europe and beyond.
Get Involved
CRA Resources
- OpenSSF Global Cyber Policy Working Group
- Free Course: Understanding the EU Cyber Resilience Act (CRA)
- CRA Guide for OSS Developers
- Open Source Project Security Baseline
- Tech Talk: CRA-Ready
- Report: Unaware and Uncertain: The Stark Realities of Cyber Resilience Act Readiness in Open Source
- Report: Pathways to Cybersecurity Best Practices in Open Source