ORC Monthly: Regulatory Submissions and Code & Compliance Community Day

As we dive into the summer months, we’re combining our June and July updates into a single post, because June was packed. In June alone, we contributed to the EU’s draft guidance on open source hardware, submitted detailed comments on the CEN/CENELEC PT 1 Standard, and provided feedback on the proposed Cybersecurity Act (CSA) Revision. We also offered further refinements to the EU’s guidance on open source in general. These submissions reflect the ORC’s growing role as a trusted voice in the policy conversation around open source and cybersecurity in Europe.

To improve the community’s efficiency, we have refined our internal review and feedback process, enabling us to respond more quickly and effectively to fast-moving developments. This momentum puts us in a strong position to continue influencing these conversations in a way that represents the interests of the open source community.

Timo Perala and Dirk-Willem van Gulik
ORC co-chairs

What’s New

• Save the date for Code and Compliance. Preparations are already in motion for the first edition of Code and Compliance Community Day, set to take place in Brussels on October 22 and 23. If you’re interested in shaping the program or contributing to the content, now is the time to get involved.

• The first drafts of the horizontal standards from CEN/CENELEC have been released for internal review. The ORC submitted feedback to PT1 and is currently preparing input for Part 3 (PT3).

• While the CRA remains the core focus of the Working Group, we’ve also provided consolidated input on related legislative efforts, including the proposed revisions to the Cybersecurity Act (CSA). You can read our comments here.

• The ORC community collaborated to deliver feedback on the European Commission’s consultation on the Standardisation Regulation No 1025/2012. Our response emphasised how the process can evolve to better accommodate the open source ecosystem as an essential stakeholder.

• Our weekly CRA Mondays series is taking a break over the summer months. If you missed any of the discussions, now’s a great time to catch up on the recordings and stay informed on the latest CRA-related topics, including:

  • The CRA: Why even your fridge might need a lawyer
  • Supply-chain Levels for Software Artifacts (SLSA)
  • How to stop worrying and love the NLF
  • And more

• The ORC is currently developing a series of white papers focused on key aspects of cybersecurity and open source. Topics include:

  • SBOMs
  • Due diligence obligation of manufacturers
  • Security attestations
  • Types of open source projects
  • Open Source Software Stewards and CRA

  If you’re interested in contributing your expertise or reviewing drafts, we welcome your participation. Learn more and get involved on GitHub.

Overheard

We’re also on Mastodon: @orcwg

Upcoming Events

• Open Source Summit Europe | 25 - 27 August 2025
• Comply.Land | 11 September 2025 - 12 September 2025
• The Things Conference | 23 - 24 September 2025
• Nordic Software Security Summit | 1-3 October 2025
• Code & Compliance Community Day | 22-23 October 2025

Recent Talks & Events

• CRA Mondays | Supply-chain Levels for Software Artifacts (SLSA) | Arnaud Le Hors
• CRA Mondays | The CRA: Why even your fridge might need a lawyer | Pedro Demolder
• Unpacking the CRA: From Draft to Delivery – ORC Working Group’s first deliverables
• Digital Enterprise Show - Malaga June 2025
• Global Digital Collaboration Conference - well-attended sessions on “Soverign by Design”

Welcome ORC Members

The following members joined in June and July 2025:

• Red Hat
• Google
• Open Source Matters
• Ekxide IO
• GitHub
• Microsoft

How to Participate

• Learn
• Contribute
• Join the Working Group