The Eclipse Foundation has announced the formation of the Open Regulatory Compliance Working Group (ORC WG). This pioneering initiative aims to support participants across the global open source community—including developers, enterprises, industries, and open source foundations—in navigating and adhering to evolving regulatory frameworks.
Additionally, the working group will work closely with governments and regulatory bodies to enhance their understanding of the unique open source development model. Supported by prominent open source foundations and global technology leaders, this collaborative effort is dedicated to advancing the open source model in an increasingly regulated software supply chain.
“Given the impact of software technology on the global economy, it is unsurprising that governments worldwide are enacting new regulations to safeguard privacy, security, and accessibility,” said Mike Milinkovich, executive director of the Eclipse Foundation.“The Open Regulatory Compliance Working Group was created to bridge the gap between regulatory authorities and the open source ecosystem, ensuring organisations and developers can leverage open source technologies while remaining compliant with evolving global regulations.”
The newly established working group is committed to formalising industry best practices and offering essential resources to help organisations navigate regulatory requirements across multiple jurisdictions. Additionally, it aims to assist government entities in providing greater legal certainty to the open source ecosystem and software supply chain.
Through collaboration and guidance, the group seeks to elevate software quality and security in open source projects. Backed by the Eclipse Foundation’s strong commitment to open source supply chain security, the working group leverages a team of expert security professionals and rigorous processes. As a CVE Numbering Authority, the Eclipse Foundation plays a key role in effective vulnerability management, ensuring that security remains a top priority for all contributors, projects, and users within the ecosystem.
While the Open Regulatory Compliance Working Group is chartered to address compliance with open source-impacting requirements in general, its immediate focus is the European Cyber Resilience Act (CRA). With the CRA rapidly approaching implementation, the working group’s immediate efforts are centred on ensuring compliance with this new legislation.
Current Initiatives:
- Process Specifications: Development of cybersecurity process specifications and best practices aligned with the requirements of the CRA.
- Collaboration with European Authorities: The working group actively engages with the various European institutions to understand legislative timelines and produce timely compliance materials, with a primary focus on the CRA.
- Formalising Standards Participation: Having secured formal liaison status with the European Committee for Standardization (CEN) and the European Committee for Electrotechnical Standardization (CENELEC), the working group is actively pursuing working relationships with other European and National Standards Organizations to expand its contribution on regulatory standards.
- Community and Industry Education: A series of webinars with European Commission staff aims to keep the open source community informed about the EU’s legislative process. Recordings and materials, including sessions like “How to Read the CRA” led by Enzo Ribagnac, Associate Director for European Policy at Eclipse Foundation, are available here.
- Centralised Information Hub: The working group is developing a central resource to house all relevant CRA-related content, including webinars, glossaries, flowcharts, and FAQs to inform EU guidelines.
Collaborative Engagement:
The working group has garnered significant support from a broad range of open source organisations and private companies. As of the date of this announcement, participant organisations include: Apache Software Foundation (ASF), Blender Foundation, Robert Bosch GmbH, CodeDay, The Document Foundation, FreeBSD Foundation, iJUG, Lunatech, Matrix.org Foundation, Mercedes-Benz Tech Innovation GmbH, Nokia, NLnet Labs, Obeo, Open Elements, OpenForum Europe, OpenInfra Foundation, Open Source Initiative (OSI), Open Source Robotics Foundation (OSRF), OWASP, Payara Services, The PHP Foundation, Python Software Foundation, Rust Foundation, SCANOSS, Siemens, and Software Heritage.






