Maarten Aertsen
@maarten@techpolicy.social  ·  activity timestamp yesterday

ENISA published guidance on the #NIS2 implementing act for the digital sector. They cover how to apply the NIS2 requirements when it comes to #FOSS, including clarifying that in most cases upstream open source maintainers should not be considered a ‘direct supplier’. There are 37 occurrences of #opensource in the text. Some quotes to follow https://www.enisa.europa.eu/publications/nis2-technical-implementation-guidance
Maarten Aertsen
@maarten@techpolicy.social  ·  activity timestamp yesterday

“Most software today builds on the rich foundation of infrastructure that has been provided freely by free and open source software (FOSS) projects and communities. In line with the approach to FOSS in Regulation (EU) 2024/2487, this document includes guidance on the responsible use of free
and open source software in relevant sections, for example in sections 5.1 and 6.1.”
Maarten Aertsen
@maarten@techpolicy.social  ·  activity timestamp yesterday

In 5.1, on whether FOSS qualifies as ‘direct supplier’ (which triggers obligations upstream):
”In the case of free and open source software (FOSS), communities and projects that openly develop, maintain and distribute software may not be considered direct suppliers or service providers where no contractual relationship exists between the relevant entity and the open source project, beyond adherence to a standardised copyright licence, or”
[continues in next toot]
Maarten Aertsen
@maarten@techpolicy.social  ·  activity timestamp yesterday

[continuing:]
[In the case of free and open source software (FOSS), communities and projects that openly develop,
maintain and distribute software may not be considered direct suppliers or service providers] “where the contractual relationship is with an open source software steward (Regulation 2024/2847, Article 3(14) ‘provides support on a sustained basis for the development and ensures the viability of those products’).”
Maarten Aertsen
@maarten@techpolicy.social  ·  activity timestamp yesterday

There's a large list of tips for FOSS in the supply chain security security section (5.1, page 73), including:
“require suppliers or service providers to provide evidence of their engagement with the OSS community to ascertain whether adequate resources are available to support sustainable maintenance efforts and contribute such resources where appropriate, including to guarantee future availability of security patches;”
Maarten Aertsen
@maarten@techpolicy.social  ·  activity timestamp yesterday

This “tip” on regular code reviews has a footnote:
“Suppliers do not necessarily need to perform security audits (and the resulting remediation efforts) themselves, but they can fund existing initiatives that perform open source security audits at scale (e.g. Sovereign Tech Agency, Alpha-Omega and the Open Source Technology Improvement Fund) or upstream (e.g. by funding a maintainer or by establishing contractual relationships with relevant Open Source Software Stewards to do
that work).”

1 more replies (not shown)