News

They say “data is the new oil” and this highlights a critical vulnerability for Europe. Our reliance on non-European hyperscalers for data storage creates a significant dependency, raising serious questions about control, security, and resilience. What if these dominant nations restrict services, or how our data being used? Companies like Microsoft can not guarantee that European data won’t be used by others while it is stored outside of Europe.
Digital sovereignty means you have full control over your data, software, and infrastructure. Digital sovereignty isn’t just about knowing your dependencies; it’s about actively eliminating them. Björn Schiessle from NextCloud highlighted that Europe not only must act but, crucially, can act now. Many organizations remain stuck in theoretical debates, overlooking that solutions already exist. Arguments like “we need European hyperscalers first” often serve as excuses preventing change. Key pathways include developing European hyperscalers, utilizing existing European solutions, defining missing features, and making informed decisions. By consciously steering our decisions and investments towards the right solutions, digital sovereignty can transition from a mere aspiration to a practical reality.

The EU Cyber Resilience Act (CRA) is a challenge and also an opportunity.  It is transforming cybersecurity from an optional extra into a mandatory market entry requirement. This presents a significant question for manufacturers across Europe. Dirk Leopold  during the Open chai and Friends event  presented a great solution of collaboration, that is the CRA Community. CRAIG is a community-driven Non-Profit Association designed to support the implementation of the CRA. Its mission is clear: “We bridge the gap between complex legal requirements and practical technical application, and we strengthen cyber resilience across European industry by making security-by-design, secure development practices, and risk assessment accessible to organizations with limited resources.”

CRAIG empowers organizations, particularly those with limited resources, to meet these new standards. Whether you’re an engineer, a researcher, or a corporation, CRAIG offers an open, collaborative platform where you can get inspired, share ideas and develop together with others. This platform acts as a central source of information, but also much more. CRAIG also organizes working groups for the most important topics to create guidance and collect best practices for small companies up to large multinationals. Through this Community you also have to chance to connect to peers in your region and participate local events.

Are you interested? – check the official website for more information: CRAIG | Your CRA Community

In the realm of cybersecurity, the theory of supply chain security often appears clean and straightforward. The reality is different. It’s a complex, multi-faceted challenge riddled with common yet dangerous mistakes that persist across organizations. This vital session, presented by Daniel Mihajlov from Robert Bosch GmbH, offered a practical look at the danger of neglecting software supply chain security. Understanding the software supply chain security regulations is no easy task. It involves a multitude of stakeholders, from developers and legal teams to incident response units, authorities, and third-party companies. This complexity demands a unified, comprehensive strategy, moving beyond mere reactive measures to embrace proactive security.

Mihajlov highlighted a critical issue: “Checkbox compliance.” This occurs when individual departments complete their own security checklists without anyone taking a holistic view of the entire system. While all the paperwork might be perfect, this siloed approach inevitably leaves some weak points, creating a false sense of security. The problem isn’t the compliance checks themselves, but how they’re conducted – often prioritizing documentation over actual security posture. This leaves organizations vulnerable despite their best efforts.

Another compelling example of a common vulnerability is the “ghost ship” – widely used applications relying on old, unmaintained open-source libraries for critical functions. Imagine a scenario where the original developer has moved on, no one monitors the project, and crucial security updates or patches are simply not happening. If a publicly known critical vulnerability emerges in such a component, the entire application sails into dangerous waters. A dependency without an active maintainer is, undeniably, one of the biggest problems in today’s software landscape.

The session reinforced these points with numerous use cases and real-world attack examples, mentioning also how the artificial intelligence based solutions used today to do more sophisticated attacks against companies. Lesson learned: even if your internal systems are robustly secure, your entire security posture is only as strong as your weakest link – including your suppliers’ systems. If you share data with a vendor whose systems are compromised, your data is also at risk.

At a recent gathering of open-source compliance and education experts, a transformative approach to corporate learning was presented: Eclipse OSILK (Open Source & InnerSource Learning Kit). The presenter highlighted how the industry is moving away from static, hard-to-maintain training decks and toward a developer-centric “as-code” model.

The Problem: The “Maintenance Trap”

Organizations today face a significant challenge in scaling open-source literacy. While training materials exist, they often suffer from:

• Poor Reusability: Rigid formats (like PDFs or complex PowerPoints) make it difficult to extract and repurpose content.

• Customization Barriers: It is hard to adapt generic open-source training to an organization’s specific internal policies.

• Stagnation: Once created, these materials are difficult to maintain, quickly becoming outdated as technologies and licenses evolve.

The Solution: Eclipse OSILK

The core philosophy of the session was simple: Treat training material like software source code. By using AsciiDoc—a lightweight markup language—training content becomes text-based, modular, and version-controlled. This “Training-as-Code” approach offers several key advantages:

• Collaborative by Nature: Using tools like Git, multiple contributors can track changes, manage releases, and accept community contributions via pull requests.

• Single Source, Multiple Outputs: A single text file can be rendered into various formats (slides, web pages, or handbooks) using tools like Antora or Pandoc.

• Modular Content: Content is broken down into small, reusable snippets. As shown in the “Modular Content Structure” diagram, specific modules (e.g., JS, PHP, or C# specifics) can be pulled into different “Courses” as needed.

• Forkable: Just like software, an organization can “fork” the OSILK base materials and add their own internal compliance layers without breaking the link to the original source.

Roadmap and Real-World Use

The initiative, currently in the Eclipse Incubation phase, is already seeing adoption by major players like Michelin and various engineering schools.

The future roadmap for OSILK focuses on expanding content—moving from basic awareness to deep dives into consumption, contribution, and launching open-source projects. There is also a strong push toward automation and localized translations to make open-source literacy accessible on a global scale.

Key Takeaway

The consensus among participants was that scaling education requires the same agility we apply to software. By adopting the Training-as-Code mindset, organizations can finally move past the “static slide” era and build a living, breathing knowledge base for the open-source community.