What if open source software projects could receive ongoing and sustaining funding from the corporations that use those project commercially — without changing the license or charging a fee for usage? This may sound self-contradictory; soon, it may be more than theoretical.

In Article 25 of the Cyber Resilience Act, one can see that the European Commission has the opportunity to create a Delegated Act for Voluntary Security Attestations. This could open a path to reduce manufacturer's CRA-related compliance costs in exchange for support for the volunteers maintaining open source projects -- and to do this without becoming a manufacturer, without assuming liability, and without jeopardizing a steward's non-profit status.

In this panel, we will hear different perspectives on how this could improve the sustainability of open source across Europe, explore the potential impacts of different approaches, and invite audience participation and questions.

This presentation is part two of a two-part series. In part one, Æva introduced their ongoing work with the Eclipse Foundation to develop a holistic view of how such a program might function.