2026-06-03 –, Main stage
The EU Cyber Resilience Act (CRA) marks a significant shift in how cybersecurity responsibilities are defined for digital products — including software built on open source. While the regulation explicitly protects non-commercial open source development, it also introduces new obligations for organizations that commercialize, distribute, or embed open source software into products placed on the EU market.
This talk explores the implications of CRA for open source communities, maintainers, and organizations using Open Source in their products.
It focuses on how open source governance, community collaboration, and supply chain security practices can evolve to support compliance without undermining the openness and sustainability of OSS ecosystems.
We will discuss practical best practices for organizations and engineering teams, including compliant codebase management policies, vulnerability handling and disclosure, SBOM usage, and secure-by-design development workflows aligned with CRA requirements. The session also highlights how community-driven security processes such as coordinated disclosure, shared tooling, and upstream/downstream collaboration can become enablers rather than barriers under the new regulatory landscape.
By bridging regulatory expectations with community values, this talk aims to provide a pragmatic blueprint for sustaining healthy open source ecosystems while meeting the cybersecurity obligations introduced by CRA.
This talk:
• Emphasizes collaboration over compliance fear
• Frames CRA as a shared responsibility across ecosystems
• Addresses long-term sustainability, not just regulation
Key Topics Covered
• What CRA really says about OSS (and what it does not)
• The role of organizations owning OSS in CRA-era governance
• Open source supply chain security under CRA
• Best practices for:
○ OSS intake and reuse policies
○ Vulnerability disclosure and handling
○ SBOM generation and maintenance
○ Secure-by-design OSS development
• Aligning community practices with regulatory expectations
• Avoiding over-compliance that harms open collaboration
Suggested Audience
• Open source maintainers
• Security engineers working with OSS
• Compliance and governance teams
• Community managers
• Policy-curious developers
CRA does not regulate open source communities — it regulates how organizations collaborate with them. Good governance and strong communities are now a security feature.
Dan Horovitz is an experienced Principal Security Researcher, with over 25 years of multidisciplinary security research, security product development and management experience. Dan worked at Intel, McAfee, Checkpoint as well on several security startups for the last 20+ years, doing security product development as well as security assurance, security code review, architecture and design review and security validation. Dan is a life-long hacker, security advocate, he has always had a passion for deconstructing technology. Dan has performed all forms of security assessments but given his developer and management background, he has a dedication to product security assurance, security architecture, security development and security validation. Dan has MBA & B.Sc in computer science from BGU and he's CISSP certified, reached the 3rd Black Belt Security in Intel, highest org. security certification. Dan has authored 35+ patents on privacy and security enhancements and presented papers in different conferences such: BSides, CyberSafe, iSecCon, DefCamp, DTTC, SWPC, Intel System Engineer, Intel TechWeek, QA&Test, INCOSE and MPower (McAfee).
to be completed.