By Madalin Neag
There is a particular feeling that comes with wearing a conference badge that carries more weight than your name. It is the quiet awareness that you are not just attending an event; you are representing a global community, its values, and its future direction.
Since joining The Linux Foundation in mid-July 2025, where I work on behalf of the Open Source Security Foundation (OpenSSF), I have had the privilege of doing exactly that: collecting badges across Europe while representing OpenSSF, Linux Foundation Europe, and implicitly the broader Linux Foundation ecosystem at key open source, cybersecurity, and standardization events and meetings.
Each badge tells a story – not of travel for travel’s sake, but of conversations, collaboration, and the growing recognition that open source security must be part of Europe’s cybersecurity future. Looking back on those first months, what stands out most are the people I met, the rooms where policy and practice intersected, and how deeply connected the OpenSSF ecosystem is across communities, institutions, and borders.
My journey officially began in August at Open Source Summit Europe in Amsterdam. It was my first time representing OpenSSF in an official capacity, and it immediately highlighted the responsibility that comes with speaking on behalf of a global open source security community. Open Source Summit Europe brings together maintainers, contributors, industry, and policymakers each year, making it a natural place to engage on the evolving role of security in open source ecosystems.
That momentum continued with the OpenSSF Community Day, also held in Amsterdam. Beyond participating, I had the opportunity to contribute directly as a speaker, delivering a keynote titled “Bridging Policy and Communities – OpenSSF Involvement in EU Cyber Policy.” That experience brought into sharp focus the power of connection: between policy and practice, between communities and the standards that guide them. OpenSSF is stepping into that space not just as a steward but as a leader: building capacity, fostering inclusion, and driving innovation with an eye toward the future. By bridging open source communities with national, EU, and global frameworks, it enables collaboration on a scale few organizations can achieve. The result is a cybersecurity policy that doesn’t just exist on paper but is actively brought to life, empowering the people who create the software on which the world depends.
In September, my role took me to Brussels for the Open Source Congress, where I joined a panel discussion focused on the intersection of cybersecurity best practices and global standards shaping this area. The exchange highlighted the growing complexity of the cybersecurity landscape and the importance of continued collaboration across international initiatives.
Brussels remained a focal point in the months that followed. On October 22, I attended the 3rd CRA Expert Group meeting, where we worked on the practical implications of the EU Cyber Resilience Act (CRA) and how policy can effectively translate into real-world practices, including in guidelines related to open source software. Throughout the meeting, the discussions naturally flowed around the Expert Group’s work: helping the Commission create guidelines that will contribute extensively to the implementation of the CRA, shaping delegated acts and policy initiatives, and exchanging perspectives with Member States and other regulatory actors to ensure alignment across the Union.
At the end of October, I attended the Linux Foundation Europe Member Summit and Roadshow in Ghent on October 28–29. A dedicated track on the Cyber Resilience Act brought together policymakers, industry representatives, and open source communities to explore how regulations translate into engineering decisions, maintenance responsibilities, and important steps towards the CRA compliance. The workshop held there was structured around three main topics – stewards, standardization & policy, and manufacturers – allowing participants to examine the roles, responsibilities, and practical challenges each group faces in implementing CRA.
Immediately afterward, on October 30, I returned to Brussels for the European Open Source Security Forum, where I talked about “The European Cybersecurity Strategy and the Role of Open Source Software.” That presentation wove together EU strategy, open source realities, and the need for policies that strengthen rather than hinder ecosystems. I emphasized that DORA, NIS2, RED DA, and the CRA form a connected framework for cybersecurity and operational stability, and compliance works best when approached holistically. Aligning OSS practices with these policies builds trust and resilience, while companies can act by auditing software, elevating governance, embracing open source stewardship, and investing upstream. Simplifying reporting and providing practical guidance makes compliance both effective and manageable.
In early November, I traveled to Lyon for OSPOlogy Live Europe, where I presented the OpenSSF Cybersecurity Skills Framework and discussed why securing software requires investing in people and shared security knowledge, not just technology. The session highlighted OpenSSF’s leadership in building practical, role-based security capabilities across engineering teams. The framework provides a clear, actionable map for identifying security skill gaps and prioritizing capability development across the software ecosystem, while demonstrating how organizations can use a common language for security skills to systematically improve their cybersecurity posture. OSPOlogy provided the ideal setting to focus on the human side of security, reminding us that frameworks and regulations are only effective when people are equipped to implement them.
December took me to Geneva for the ITU-T SG17 meeting, where I participated as an invited expert representing OpenSSF in a forum for global standardization. Being part of this UN-affiliated technical standards body made me realize just how much discussions around open source security are reaching beyond local or community circles and moving into truly global coordination. Much of my work this year focused on European cybersecurity policy, but here it naturally expanded into wider standardization environments, where global policy meets practical implementation and the realities of open source must continue to be carefully considered.
A significant part of my work under Linux Foundation Europe’s umbrella has been focused on supporting the implementation of the CRA through European standardization activities. Acting as an ETSI member, I participated in several ETSI and CEN-CENELEC meetings where CRA-related standards are developed and aligned. In early October, I traveled to Sophia Antipolis for the ETSI Security Conference and one of the first joint meetings between ETSI TC CYBER WG EUSR and CEN-CENELEC groups. These early coordination efforts are essential for translating legislative intent into practical technical requirements that consider both open source and broader software ecosystems.
In December, I returned to Sophia Antipolis for three collocated meetings: ETSI TC CYBER WG EUSR, CEN-CENELEC JTC13 WG9, and a joint meeting between the two groups. These rooms are where critical discussions and continued alignment on CRA implementation happen, ensuring that standards reflect the realities of software development, including open source models. Participation in these meetings enables open source communities to be represented in the conversation and ensures that insights from the standards process can be shared back, supporting awareness and informed engagement.
At some point, you look at your desk and realize you have collected a small wall of badges. Each one represents not just an event, but dozens of conversations with maintainers, policymakers, standards experts, and community leaders.
What stands out most is how connected this ecosystem is. OpenSSF shows up everywhere: sometimes visibly on stage, sometimes quietly in working groups, but always as a trusted convener and bridge builder. The same faces reappear across cities and institutions. Trust builds over time, and relationships compound.
This journey is far from over. I am very much looking forward to continuing to represent OpenSSF, Linux Foundation Europe, and the broader Linux Foundation ecosystem in 2026 and beyond, always with the goal of advancing cybersecurity policy and implementation in a manner that aligns with the ethos and practices of open source. Some of the already confirmed events include FOSDEM, FOSS Backstage, EU Open Source Policy Summit ‘26, Open Source Security Forum 2026, Open Source SecurityCon 2026 (co-hosted by CNCF and OpenSSF), OpenSSF Community Day Europe 2026, and more to come.
Each future badge will add to the collection but more importantly, to the shared effort of making open source security robust, practical, realistic, and globally aligned. Collecting badges might look like travel on the surface but in reality, it is about showing up again and again for the communities that build the world’s software. I am deeply grateful for the trust placed in me to represent OpenSSF and Linux Foundation Europe, and for the opportunity to help ensure that open source has a strong, informed voice wherever cybersecurity decisions are being made.
About the Author
Madalin works as an EU Policy Advisor at OpenSSF focusing on cybersecurity and open source software. He bridges OpenSSF (and its community), other technical communities, and policymakers, helping position OpenSSF as a trusted resource within the global and European policy landscape. His role is supported by a technical background in R&D, innovation, and standardization, with a focus on openness and interoperability.