What is the purpose of this new initiative?
The Open Regulatory Compliance Working Group (ORC WG) aims to facilitate compliance of all open source actors with regulatory requirements. To achieve this, the ORC WG:
- Provides an open forum for members of the open source community to organise, share, document, and develop best practices, and support each other.
- Collects and shares input and feedback in relevant legislative and standardisation processes.
- Develops specifications that can be transformed into standards recognised by legislators through relevant standardisation organisations.
- Creates additional materials to help with compliance such as guidelines, educational content, and specifications not designed for further standardisation.
The ORC WG strives to develop artefacts and best practices that help open source actors comply with regulatory requirements across jurisdictions.
What is the main focus of this initiative?
Initially, the ORC WG is focusing on the European Cyber Resilience Act (CRA). However, the working group members will continue to expand its work to include other global regulations and legislation as they develop.
Who is this initiative for?
This initiative is aimed at all participants within the open source ecosystem, including foundations, maintainers, vendors, users (including non software vendors using open source), package managers, and other related entities.
Why host this initiative at the Eclipse Foundation?
As Europe’s largest open source foundation, based in Brussels, the Eclipse Foundation AISBL is a natural home for this effort. The foundation supports a well established, robust open specification process and will host and promote the working group’s open specifications. The governance of the working group will follow the Eclipse Foundation’s usual member-led model, augmented by explicit representation from the open source community to ensure diversity and balance in decision-making.
Key benefits of this approach include:
- Proven Path To Standards Adoption: Leverage a well-established open specification process that is already recognised by various relevant standards bodies.
- Open, Transparent, and Inclusive: Foster an open, transparent, and inclusive process.
- Collaborative Governance: Enable collaborative decision-making through open governance.
- Ensured Neutrality: Maintain neutrality among foundations, vendors, and communities.
- Broad Inclusivity: Welcome individual contributors, for-profit, and nonprofit organisations.
- Legislative Engagement: Establish direct relationships and active engagement with governmental bodies and public sector entities in various jurisdictions.
What are the ultimate deliverables of this initiative?
The deliverables will consist of one or more process specifications made available under a liberal specification copyright licence and a royalty-free patent licence. The group’s initial effort is to enumerate the respective open source foundations’ security policies and procedures and similar documents describing best practices. With these as our starting point, we aim to accelerate the development of cohesive cybersecurity processes required for regulatory compliance while offering a neutral environment for hosting technical discussions with both industry and the open source community at large.
How can I get involved?
Participation is easy. Here are some links to help you get started: