Could Compliance Costs Sustain FOSS? A Panel With The Public Sector
UA2.118 (Henriot) | Day 2 | 15:40 - 16:20 | Speakers: Æva Black, Michael Schuster, Greg Wallace, Tommaso Bernabo'
Abstract
What if open source software projects could receive ongoing and sustaining funding from the corporations that use those project commercially — without changing the license or charging a fee for usage? This may sound self-contradictory; soon, it may be more than theoretical.
In Article 25 of the Cyber Resilience Act, one can see that the European Commission has the opportunity to create a Delegated Act for Voluntary Security Attestations. This could open a path to reduce manufacturer's CRA-related compliance costs in exchange for support for the volunteers maintaining open source projects -- and to do this without becoming a manufacturer, without assuming liability, and without jeopardizing a steward's non-profit status.
In this panel, we will hear different perspectives on how this could improve the sustainability of open source across Europe, explore the potential impacts of different approaches, and invite audience participation and questions.
This presentation is part two of a two-part series. In part one, Æva introduced their ongoing work with the Eclipse Foundation to develop a holistic view of how such a program might function.
Speakers
Æva Black is a non-binary hacker, veteran of the first dot-com bubble, and the former Section Chief for Open Source Software Security at the U.S. Cybersecurity and Infrastructure Security Agency. They founded Null Point Studio in 2025 to continue supporting the sustainability and security of free and open source software.
A dedicated open source advocate and contributor, Greg Wallace leads partnerships at NetActuate, a global anycast edge and IaaS provider, interfacing with supported projects CPAN, FreeBSD, and the NTP Pool. He previously served as Senior Director of Partnerships at the FreeBSD Foundation where he boosted vendor engagement, shaped the Foundation's SSDF Attestation program, and in collaboration with UKRI Digital Security by Design launched the Beacon Awards to celebrate advancements in memory-safe computing. While Senior Director at the Linux Foundation, Greg led marketing for the Node.js Foundation, Hyperledger, and ODPi and prior to that worked with the jQuery and OpenSocial Foundations. He consults on open source strategy, marketing, and community engagement with past clients including Accenture, HackerOne, IEEE SA, and Tidelift. Currently Greg's an active member of the CRA Attestations project in the ORC Working Group and he leads the FreeBSD Enterprise Working Group.
Tommaso Bernabò is a Policy Officer in the Cybersecurity and Digital Privacy Policy Unit in the European Commission’s Directorate-General on Communications Networks, Content and Technology. He works on the implementation of the Cyber Resilience Act, coordinating a number of implementation activities, including by-laws (implementing and delegated acts), guidance, and the management of the CRA Expert Group.
Before joining the Commission, Tommaso worked for 6 years as Parliamentary Assistant to a Member of the European Parliament, working on industrial and cybersecurity policies, notably leading the technical negotiations on the Cyber Resilience Act for the Parliament’s negotiating team.
Links
External Links
Notice: The placeholder video image is licensed under CC BY-SA 4.0. The original image can be found hereChanges made to the image are: Cropped the image to a new ratio, part of the image was cut off.