This talk looks at how the Erlang Ecosystem Foundation approached security and regulatory readiness in a resource-constrained open source ecosystem.

Rather than starting from a fully formed strategy, the work began under significant uncertainty: limited capacity, evolving regulation, and no clear blueprint for how security, compliance, and governance should be handled at an ecosystem level. Using the EU Cyber Resilience Act as an initial catalyst, the talk walks through how the foundation identified leverage points, made explicit trade-offs, and focused on outcomes that would meaningfully improve trust and adoption.

The presentation covers practical decisions around scoping, sequencing, and prioritization; why early, concrete results mattered more than theoretical completeness; and how grant funding eventually helped turn fragile progress into more durable capacity. It also touches on the less visible consequences of scaling up, including governance, accountability, and questions of legitimacy once external funding and regulatory expectations enter the picture.

This talk is aimed at maintainers, foundation staff, and community leaders working in smaller or mid-sized open source ecosystems — especially those who don’t have dedicated legal or compliance teams, but whose software is increasingly relied upon in real products.

Slides: https://docs.google.com/presentation/d/1irrbVC9JB8hzkDy-w7NEqH6LULgV5pySvhz88FeIres/edit?usp=sharing
Talk Recording: not yet published.