Call for papers

Focus on the Cyber Resilience Act

We are now working on our second event, the fall 2025 conference. It’s time to raise the speed of action in order to get compliant with the Cyber Resilience Act on time. Tools, standards, process support, new attitudes and new ways of working. We love brainstorming with you, so send us your ideas early!

We are at this moment looking for speakers and trainers

  • Conference talk in 25 or 50 minutes 
  • In-depth sessions trainers: 1.5 hour educational talks, no labs required

Nordic Software Security Summit Oct 1-3 2025 in Hotel Birger Jarl, Stockholm, Sweden.

Send in your proposals now!

Panel discussion
Panel discussion at NSSS 24

Overview of the conference

The software development market is about to get regulated by governments worldwide. In the European Union, we have many regulations coming that will change the process of creating and selling software for every party involved – from developers to sales. The manufacturers will be forced to take more responsibility for the cyber security in their products, work with compliance in relation to the new regulations and implement a product lifecycle management process with free and automatic security updates.

This regulation will cover all software sold on the EU market – from IoT devices, embedded systems, server applications to laptop software and mobile apps.

The customers – both consumers and on the commercial market – will get more transparency and abilities to monitor the health of the software products – regardless if it’s embedded in hardware or standalone software. 

The Nordic Software Security Summit is an annual conference to gather participants from all areas of the industry and share knowledge about the new tools, processes and the impact of the new regulation.

Short facts

  • Three day conference starting with in-depth workshops followed by a two conference days
  • On site in Stockholm, Sweden – Hotel Birger Jarl
  • Oct 1 – Training and community events, Oct 2-3 – Conference
  • Organised by Edvina AB in partnership with Dataföreningen (västra kretsen). For the 2024 conference  OpenSSF, SIG Security, Cybernode.SE and NCC-SE was partners and we’re hoping that they will join us again.
  • Conference registration and schedule will be published at
    https://www.nsss.se

How to submit

Send email to Olle E Johansson (conference chair) at oej@edvina.net with

  • Title of your talk
  • A paragraph describing the content
  • Your name, title and a short bio
  • Photograph

Send proposals – even if you don’t have all the details – no later than May 1st, 2025. If you need help with costs for travel and practical arrangements, make sure you let us know beforehand.

Contacts

  • Olle E. Johansson, oej@edvina.net, Cell phone +46 70 593 68 51 (signal, telegram)
    • Speaking opportunities, partners
  • Erik Johansson, erik@edvina.net, Office +46 8 96 40 20
    • Practical issues, registration etc

Suggested topics for talks

  • Compliance – the road to CE marking your product
  • Software supply chain security
  • Horisontal standards and related work – like ISO 27001 etc
  • DevSecOps and software transparency
  • Security artefacts: SBOM, VEX, attestations
    • Formats
  • Secure by design development process
  • Secure Code Frameworks
  • Coordinated vulnerability disclosure
  • Vulnerability handling – updating, prioritising and interacting with customers
  • Tools for scanning, vulnerability checking, compliance, SBOM and artefact management
  • The EU regulation: The Cyber Resilience Act, RED-DA and NIS2 as well as the umbrella – Cyber Security Act
    • What is the current status?
    • Who will be affected?
  • EU certification: EU-CC
  • Vulnerability databases: CVE, NVD, OSV and others – including the coming EU vulnerability database
  • Process: How to modify the product development process to adopt to the regulation
  • Shift security left: How to integrate cyber security professionals early in the process
  • How does a customer manage software transparency
  • Interacting with Open Source projects – 3rd party dependencies
  • ORCWG, OpenSSF, CEN/CENELEC, ETSI, ECMA work
  • Other related topics

Checklists, methods and process support are appreciated!

Topics for workshops

Workshops are 1.5 hour sessions with educational content. Ideas:

  • CycloneDX standard and tools
  • SPDX standard and tools
  • Securing your supply chain – practical advice
  • Coordinated vulnerability disclosure – how to set it up, experiences
  • Introduction to the Cyber Resilience Act for management
  • Secure by design: How do we get there?
  • Best practices for secure code
  • Stepping up in the devsecops process: How to implement security checks and SBOMs
  • Due diligence of 3rd party components – commercial and open source
  • Pentesting your software – an introduction
  • Other related topics of interest

Keywords

  • CRA, NIS2, RED-DA, EU, EU-CC
  • CyberSecurity
  • SBOM, CycloneDX, SPDX, VEX
  • ISO 27001, Common Criteria
  • DevSecOps
  • Software supply chain security
  • Dependency management
  • Vulnerability management
  • Open Source Software
  • OSPO, Open Source Program Offices

Why participants should participate in this conference

  • Get up to speed with the new regulations for the software industry
  • Learn about the tools and processes that is needed to make sure products are compliant
  • Connect to colleagues in the industry and learn where they are in the compliance process
  • Get information about the new certifications and horizontal standards
  • Learn about the usage of SBOM – Software Bill Of Materials – for license compliance and vulnerability handling

Who should participate?

  • Product owners
  • Product managers
  • Developers
  • Devops and devsecops professionals
  • Software security specialists
  • Cyber security professionals
  • Product compliance officers
  • Compliance management
  • CIO
  • CISO