Eclipse Foundation’s New Open Regulatory Compliance Working Group Launch

The Eclipse Foundation is launching a new Open Regulatory Compliance Working Group on 24 September 2024. Payara Services is delighted to be a Participant member and the organization is keen to ensure as many development and security teams, small to medium-sized enterprises, and corporations as possible are aware of its work. And, of course, the more organizations that join the Open Regulatory Compliance Group, the stronger our impact can be. When we work together, we can better represent open-source software-related industries while the EU develops standards under the Cyber Resilience Act 2024 and subsequent data security compliance legislation.

In this blog post, we look at the history and development of the Eclipse Foundation as well as its new focus on cybersecurity compliance regulations through the new working group since July 2024.

What is the Eclipse Foundation?

The Eclipse Foundation is an independent and international network of open-source innovators that exists to encourage communication and collaboration between software innovators. With over 360 members ranging from SAP to the Deutschs Zentrum fur Luft-und Raumfahrt , it has a business-orientated focus and encourages the commercial adoption of open-source products.

The Eclipse Foundation operates as a host for some popular open source software projects.

There are already a series of Working Groups and Interest Groups you can join. For example, you could join the Eclipse Cloud Development (ECD) Tools Working Group that was formed to develop a vendor-neutral ecosystem of web and cloud-based development tools. Or, you could join the Eclipse Software Defined Vehicle Working Group that is building software, specs and models to facilitate an open-source licensed vehicle software platform.

Members are required to comply with the Eclipse Foundation Antitrust Policy to enable member organizations to collaborate in a vendor neutral manner.

What is the Eclipse Foundation’s Open Regulatory Compliance Working Group?

The Open Regulatory Compliance Working Group (ORC WG) is a non-profit, regulatory compliance body. It is keen to curate a community of small and medium enterprises (SMEs),   research organizations, corporations and other open-source foundations that aims to help   the industry to meet regulatory requirements while continuing to leverage open source through the software supply chain.

The group’s inspiration comes from the Cyber Resilience Act. Specifically, Article 13(5) mentions:

• Due Diligence where “components sourced from third parties shall not compromise the cybersecurity of the products” (third party dependencies)
• “Stewards”, who must document their cybersecurity policy, establish a vulnerability management system, and make security attestations (Article 24-25)

Is Membership of the Eclipse Foundation the Same as ‘Stewards’ in the Cyber Resilience Act?

‘Open Source Stewards’ is terminology you’ll find in the Cyber Resilience Act. The Eclipse Foundation has stated it does not intend to interfere with the EU Commission’s decision-making process about which organizations may become stewards. It does, however, welcome stewards to participate in the ORC working group.

What is the Purpose of the Eclipse Foundation’s Open Regulatory Group?

The Eclipse Foundation has Liaison status with CEN-CENELEC, meaning it can submit documentation that explains its recommendations for open-source security for the Cyber Resilience Act.

The ORC WG is designed to:

• Share security best practices for the open source and wider tech industry
• Prepare open specifications to influence ISO, CEN-CENELEC and National Standardization Bodies (NSB) to contribute to homogenized standards around the Cyber Resilience Act and beyond
• Help facilitate open-source supply chain security collaboration across industry, research, and other open source foundations

What is Happening Currently?

The Eclipse Foundation’s ORC WG is focusing on:

• Cyber Resilience Act product definitions (including Important and Critical products)
• An inventory of relevant resources, including a focus on standards around the headings of ‘Secure by design’ and ‘Vulnerability handling’
• A discussion opportunity around the topic of Open-Source Sustainability
• A 30-60/90 day plan in operation, at the end of which the Steering Committee will publish a program plan

How Does Membership of the Open Regulatory Compliance Working Group Work?

The Eclipse Foundation leadership is keen to have members involved in the governance elements of the group’s design and operation from the start.

Payara Services Limited is a Participant Member, along with iJUG Verbund, Lunatech, OBEO, OpenElements, and ScanOSS.

There are varying levels of membership:

• Eclipse Foundation Membership
  • Associate Member
  • Contributing Member (fees for SMEs and ‘for profit larger companies’
• Working Group Participation
  • Strategy or Participant Member
  • Foundation Member
  • Guest Member

However, even if you are not a member, you can still provide feedback via the ORC WG mailing list.

Explore More About the Eclipse Foundation’s Open Regulatory Compliance Group

Keep up to date with Eclipse Foundation’s initiatives:

• Read The Eclipse Foundation Launches the Open Regulatory Compliance Working Group to Help Open Source Participants Navigate Global Regulations
• Read Strengthening Open Source by the Executive Director at the Eclipse Foundation, Mike Milinkovich
• Watch the latest WG Update Call
• View the Open Regulatory Compliance Working Group Charter
• Consult the Participation and Membership FAQs
• Find out about other ways you can Participate
• Explore Eclipse, OSGI, and MicroProfile collaborations
• Book onto the upcoming Open Community Experience 2024 conference (22-24 October) or check out the calendar of events.