Open Source Summit Europe 2025

As software becomes increasingly critical to the functioning of the state, economy, and society, ensuring its security and stability is a core task for governments. Secure software supply chains are a key component of this effort and a decisive factor for successful digitalisation. To effectively guarantee supply chain security, a new approach to IT security architecture is required, one that brings together the expertise of security experts, developers, and government agencies to standardise testing procedures and facilitate collaborative security analyses. The openCode platform, run by the German Centre for Digital Sovereignty (ZenDiS), is central in addressing this challenge: by establishing binding security standards, promoting transparency, and enabling the tracing of origins for critical software components, openCode helps build resilient, sovereign OS infrastructure for public administration. A recent strategy paper published by ZenDiS and the German Federal Office for Information Security develops a strategy on how to secure software supply chains with openCode, which will be presented in this talk. 

The public sector has been an active user of Open Source Software (OSS) since its inception. Yet, adoption and reuse have fluctuated, along with the many policies and initiatives providing guidance and support. On the positive side, there is a wealth of experience to draw from.

In this presentation, we aim to inspire and provide insights from a study of 16 countries that are mature in their digital practices, as indicated through a set of digital maturity indicators. These countries are surveyed regarding government policies, rationales, support mechanisms, means of promotion, and success stories on OSS adoption.

We find diverse means in how policy is designed and motivated to support both the adoption and use, as well as development and release of OSS across sectors. The cases further provide in-depth examples of how the policies can be supported and enabled using Open Source Program Offices (OSPOs), communities, and codified knowledge.

Based on our findings, we will provide attendees as well as policy- and decisionmakers at national, regional, and local government levels, with recommendations for designing and fostering sustainable policies for OSS adoption.

The CNCF’s Cloud Native Public Sector User Group, founded in 2023, aims to advance cloud-native best practices within the public sector, with a focus on improving workflows and supply chain security.

Public sector organizations face unique and evolving challenges that complicate software supply chain security. These include the absence of standardized practices for what software can enter isolated networks, no shared root of trust, and a lack of frameworks for integrating public and private attestations. There's also no guidance for using shared, non-public infrastructure—hindering trust and automation.

This talk, based on learnings from the groups recent publications, explores how public sector consumers can receive trusted attestations that prove origin, integrity, and authorship—across companies, networks, and government entities. It also asks: what’s the minimum assurance needed for trust, and how do we balance stringent requirements without sidelining small suppliers?

Key Takeaways:

• Current challenges in public sector supply chain security

• Emerging needs for trust, attestations, and integration

• Ideas for equitable, scalable solutions across supplier sizes

The Cyber Resilience Act’s implementation deadline is 2027, but most organisations are reporting their current unreadiness. In this panel we lay bare the responsibilities individuals, maintainers, and foundations are required to conform to through four varying lenses: the CEO of open source foundation OpenUK; CTO of open source supply chain firm Kursai; OSPO PM for security multinational Sonatype; and CEO of open source security consultants ControlPlane. They hold current and previous security and open source leadership positions across The Linux Foundation, Canonical, OpenSSF, CNCF, FINOS, and OpenUK, and have been working on CRA responses and accountability since 2022.

Join us to discuss community responses to compliance, the Linux Foundation’s approach to self-attestation, and strategies for preparing your organisation's response to the impending legislation.