If you sell a product that contains open-source software, you must comply with both the licenses and regulation like the European Union’s cyber resilience act. Specifically, you (1) are required to declare its software bill of materials, (2) need to make sure it does not include unwanted open source code, (3) need to create and deliver correct legal notices, and (4) must monitor security vulnerabilities of current and past deliveries. Ignore these requirements, and you risk being sued by copyright trolls, irate customers, or the government.

Target Audience: Product leaders, engineering leaders, architects, developers, legal
Prerequisites:General software development understanding
Level: Practicing

Extended Abstract:
If you sell a product or distribute a project that contains open-source software, you are required to comply with both the licenses and regulation like the European Union’s cyber resilience act. Specifically, you (1) are required to declare its software bill of materials, (2) need to make sure it does not include unwanted open source code, (3) need to create and deliver correct legal notices, and (4) must monitor security vulnerabilities of current and past deliveries. If you ignore these compliance requirements, you risk being sued by copyright trolls, irate customers, or the government. This talk shows how to handle these requirements, including the cyber resilience act, in a safe and easy way.

In a rapidly evolving landscape of regulations & compliance is often perceived as a constraint in business operations and a threat to business agility. This presentation aims to shift the perspective, highlighting how compliance can serve as a strategic asset when moving beyond rule-based Compliance implementations. By integrating ESGRC topics & goals, organizations can even further enable & enhance their Agile Operating Model, turning potential constraints into opportunities for innovation and growth.

Target Audience: Executives, Decision Makers, Architects, Product Managers
Prerequisites:Basic understanding of Lean & Agile concepts as well as contact with Compliance issues
Level: Practicing

Extended Abstract:
1) Context & Motivation

• Why the topic is relevant & special challenges in the EU
• Key legal terms & concepts and why they matter to Executives
• Our perspective / motivation

2) Compliance Case studies

• Variations across industries
• Deep dive MedTech as example industry
• Regulation accelerates: Lack of digitalization as an innovation killer
• Impact of digitalization leap to Agile & Agentic AI

3) Compliance: from Tactical Consideration to Strategic Asset

• Current solutions when talking about Compliance in Agile (using SAFe as a reference)
• Artificial Intelligence & Agile Operating model
• Operational Compliance & Total Value Chain
• Suggested compliance maturity approach leading to "Strategic Asset"

4) Summary & Call to Action

• Summary
• Next steps

TAKE AWAYS

• Shift mindset from constraint to enabler: Compliance isn’t just about avoiding penalties. When integrated properly, it builds trust, ensures quality, and strengthens resilience.
• In fast-moving sectors like MedTech, regulatory pressure is accelerating the digitization need in order to enable delivery of innovative products.
• Current agile frameworks offer initial ideas on how to move towards Operational Compliance but lack ideas for Strategic Total Compliance Management.
• True progress happens when product and compliance experts collaborate closely - which requires both sides to develop a deeper mutual understanding.
• The ultimate goal? Go beyond being reactive - aim for competency, where compliance becomes a strategic advantage.