Per-Erik Eriksson, HiQ

New regulation puts a lot of responsibility on the vendor that place a product on the EU market. The vendor needs to do a thorough vetting of all upstream components – both commercial and Open Source. In addition, there are new requirements on transparency with SBOMs and other artefacts. Where do you start? How much time do you have? And what if the upstream vendor or project can’t deliver?

The changes also means new opportunities for customers to get insight both before and after purchase. Requiring access to SBOM and VEX artefacts will mean that customers can get better control of their IT infrastructure and be able to prioritise should a new zero-day vulnerability appear.

It’s time for everyone to implement new processes and a set of new requirements when purchasing products. A GAP analysis will be needed – how close is the vendor to where they need to be, in regards to the regulation? Can we trust they will cross the gap?


Open Source Security Foundation

Print This Page Print This Page