Gaël Blondelle, Chief Membership Officer, the Eclipse Foundation
The Eclipse Foundation, one of the largest open source foundations globally and the claimed to be the largest based in Europe, plays a central role in guiding this change. Known for stewarding the Eclipse IDE and major projects such as Jakarta EE and Eclipse Temurin, the Foundation now oversees more than 400 open source initiatives across areas including Cloud, automotive, AI, IoT, and Edge applications.
Gaël Blondelle, Chief Membership Officer at the Eclipse Foundation and Board Member of the Open Source Initiative (OSI), brings deep expertise in open source governance and ecosystem development. His focus is on helping member organisations collaborate effectively and navigate emerging challenges – particularly those posed by new regulations such as the EU’s Cyber Resilience Act (CRA).
We spoke with Blondelle to better understand how the Foundation is supporting the open source community in this changing environment.
To start us off, could you give a quick overview of the Eclipse Foundation – how it came about and what it aims to do?
The Eclipse Foundation is one of the world’s largest open source foundations, headquartered in Brussels. While many know us for the Eclipse IDE platform, our original project, which is still used by millions of developers and powers more than 1,200 commercial solutions, our work today extends well beyond tools.
We host over 400 open source projects, including strategic collaborations in areas such as AI (Eclipse LMOS, Theia AI), embedded systems (Eclipse ThreadX, a security-certified open source RTOS powering over 12 billion devices), automotive design (Software Defined Vehicle Working Group), open source RISC-V cores (OpenHW Foundation), and trusted data-sharing ecosystems (Eclipse Dataspace).
As the largest open source foundation based in Europe, we also play a key role in publicly funded research, with active participation in Horizon Europe, Digital Europe, and projects such as Gaia-X, Catena-X, and those supporting the EU AI Act.
What does your role as Chief Membership Officer involve?
As Chief Membership Officer at the Eclipse Foundation and a Board Member of the Open Source Initiative (OSI), I leverage my expertise in ecosystem building and open source governance to help companies innovate and collaborate effectively. My role focuses on engaging existing members, recruiting new ones, and advancing our mission to enable vendor-neutral, community-driven innovation. The goal is to help companies build better software while saving time and resources.
What was the thinking behind the Foundation setting up the Open Regulatory Compliance Working Group?
With the introduction of the EU’s AI Act and the Cyber Resilience Act (CRA), for the first time in history, software is now being subject to market regulation. The community quickly recognised that this shift would significantly impact open source, which is used in up to 95% of today’s software products.
The creation of the Open Regulatory Compliance Working Group (ORC WG) is really all about addressing the growing impact of those new market regulations on open source solutions. It brings together prominent open source foundations, leading global enterprises, and industry stakeholders to study the regulations, contribute to standardisation, develop best practices, specifications, and practical resources to help organisations navigate these evolving regulatory requirements. Our initial focus is on the CRA, while supporting the long-term security, sustainability, and adoption of open source innovation worldwide.
Why do you think now is the right time to help open source contributors navigate the fast-growing regulations in tech?
The clock is ticking. The CRA entered into force in December 2024, and organisations have until the end of 2027 to comply. That may sound far off, but for any company building products that rely on open source, which includes more than 96% of organisations according to a 2025 Harvard study, the work needs to begin now.
Open source is at the heart of modern software, but the supply chain is large, complex, and often poorly understood. Our goal with the ORC WG is to ensure that
open source remains a safe and sustainable foundation for innovation, rather than becoming an unintended casualty of regulatory change.
There are two main challenges. First, open source stewards such as the Eclipse Foundation or the Apache Foundation, for example, have a responsibility to support compliance in ways that protect the health and diversity of open source communities. Second, and even more urgently, many “manufacturers,” meaning all the companies that embed software in their products, still do not realise that the new rules apply not only to the code they write but also to the open source components they rely on. Helping them understand and act on this is one of the most important things we can do right now.
How can the Foundation’s work help not only companies, but individuals, stay compliant, given the number of developers contributing to open source in their own time?
Let’s be clear, the CRA does not apply to open source software if you’re not monetising it, and it doesn’t apply when you contribute to a project under someone else’s control. Therefore, individual developers should not be concerned about the CRA, as they are excluded both in the spirit of the regulation and in the adopted text.
However, the CRA applies to all software that will be monetised and put on the market, including open source software, even if compliance is on the manufacturers, the companies that integrate open source software in their products. Our focus in the ORC WG is to support the entire open source community and ensure that this requires as little additional burden as possible. One of our main goals is to ensure that standards organisations and regulators understand the dynamics and diversity of the open source community properly, so that the standards and guidelines published around the CRA do not hinder open source collaboration.
Most open source developers, even those working full time on open source projects, simply don’t have the capacity to manage the full burden of cyber security compliance. That’s why open source stewards, particularly those collaborating within the ORC WG, are stepping up to ensure that compliance processes are as low impact as possible for open source projects.
How do you see the Cyber Resilience Act (CRA) changing things for open source projects, especially smaller ones or those run by volunteers?
Unmonetised open source projects are out of the scope for the CRA, so those likely will not be impacted. However, since manufacturers often integrate open source into commercial products they do monetise, we expect to see a new relationship emerge between the projects and those manufacturers.
For open source, the CRA places obligations on manufacturers that monetise a product, and, therefore, they are the ones who should proactively approach these projects to support them. This could actually benefit the open source ecosystem as 1. the reliance of most digital products on open source components and projects will be more tangible; 2. the regulation requires manufacturers to contribute security fixes to open source projects; and 3. they may be incentivised to better support the projects to save on compliance.
There’s been a lot of debate around how the CRA applies to open source. What are you hearing from the community about what they think about the CRA’s impact? And how is the Foundation helping?
When the CRA was first announced, the open source community was primarily concerned about two main issues. First, the CRA’s potential impact on the consumption and use of open source solutions; and, second, the extra obligations the CRA puts on open source projects that could potentially be challenging to fulfil.
After extensive dialogue with EU institutions, the text was revised to address many of these concerns, and it is now clear that this will have fewer negative impacts on the community as a whole. There has also been work to identify ways of supporting manufacturers and building relationships that sustain the open source ecosystem in this new scenario.
Some people worry regulation could discourage open-source development. What’s your take on that?
I’m optimistic. When organisations know they can continue to benefit from open source while still meeting compliance requirements, it builds confidence rather than hesitation. Regulation is part of today’s digital reality, and if you expect to build world-class applications, you need to follow the rules, whether you are using open source or not. Having a strong community behind you makes that process much easier.
Can you tell us a bit more about how the working group plans to support developers? (for example, practical toolkits, legal guidance, or something else)
Yes, our plan includes most of that and more. Probably the big exception would be legal guidance. In fact, the ORC WG has already published an inventory of resources relevant to the development and use of open source under the CRA. In parallel, the group has also released its deliverables plan, outlining a clear, community-driven roadmap for additional content and materials to support the open source ecosystem, including manufacturers, foundations, and maintainers, as they work to meet CRA compliance obligations.
What would you like to see from regulators when it comes to working with the open- source world?
We have found policymakers and regulatory stakeholders to be constructive and engaged throughout this process. We are grateful to be participating in the European Commission’s CRA Expert Group, which brings together regulators, industry, Member State representatives, and civil society to support the implementation of the Cyber Resilience Act. In this role, we aim to channel the expertise of our members and partners, including peer open source foundations, to help ensure that the unique dynamics of open source development are well understood as the supporting guidance and delegated acts take shape.
We have also secured formal liaison status with the European Committee for Standardization (CEN) and the European Committee for Electrotechnical Standardization (CENELEC), and we are an active member of the European Telecommunication Standards Institute (ETSI). These affiliations with the leading European standards development organisations enable us to contribute to technical standardisation processes that will shape how CRA obligations are applied in practice.
At the same time, open source development and governance models are often quite different from what many institutions are used to. Avoiding unintended consequences will require ongoing dialogue, flexibility, and a shared understanding of how open collaboration works. From our side, projects and contributors are stepping into policy and standards conversations that they did not necessarily seek out. But the early results are encouraging, and we see good faith on both sides.
Is there anything else you would like to add?
When you think about it, it’s no longer realistic that the open source community is outside the reach of regulation. Maybe we had the impression that open source was special and immune to regulations. But new regulations like the CRA have made it clear: even if you are not paying attention to regulation, regulation is starting to pay attention to you.
Over the past two years, the Eclipse Foundation and a small number of other organisations have built the capacity to follow and engage with the policy landscape, particularly in Europe and the United States. This is not just a good thing. It is essential to ensuring that open source continues to thrive.