It runs in production under your name. You answer for every line — yet most of it came from upstream maintainers you can't see, audit, or call. BITOS helps you take ownership of your software supply chain before someone else forces the question.
These weren't sophisticated zero-days. They were governance failures. And CVE discoveries surged 394% year-over-year in Q1 2026.
For years, no one asked what was inside your software. That era is closing — everywhere. Europe's Cyber Resilience Act (CRA) is simply the first hard deadline, and anyone selling into the EU is already on the clock. Washington is moving the same way, with software bill-of-materials (SBOM) requirements written into federal procurement. Whatever market you're in, “we didn't know” has stopped being a defense.
The EU CRA timeline — the template the rest will follow
Mandatory vulnerability reporting begins
All CRA provisions apply in full
Maximum fine — or 2.5% of global annual turnover
Where the industry actually stands
of organizations remain unfamiliar with the CRA — unchanged from 2025
of manufacturers produce SBOMs for all products
still passively rely on upstream for security fixes
have a documented plan to meet CRA obligations in time
Source: Linux Foundation — 2026 CRA Awareness and Readiness Report (n=843)
Not sure where your organization stands?
Take the 1-minute diagnostic →No tools to sell. No platforms to resell. No vendor partnerships. Just operational guidance, compliance frameworks, and hands-on implementation — then we leave.
Most organizations use open source everywhere but govern it nowhere. Regulators now expect active due diligence on every third-party component — the CRA writes it into law (Art. 13), and others are following. We build the policy, procurement controls, and operating model that make your usage intentional — and legally defensible.
Working policy framework · OSPO (Open Source Program Office) blueprint · Procurement controls your team runs without us
Most organizations can't actually see what they ship — let alone prove it when a regulator, an auditor, or a customer asks. Under regulation like the CRA, that's no longer tenable. We map your full dependency graph, surface your real CVE exposure, and produce the audit-ready documentation regulators require.
SBOM baselines · CVE exposure map · Audit-ready compliance documentation
"Open-source" AI doesn't mean "free to use." We verify dataset licensing, architectural constraints, and isolation profiles — so you know which models you truly own, and which own you.
Licensing analysis · Provenance verification · Deployment risk profile
BITOS is a single-practitioner advisory. No junior analysts. No subcontractors. When you engage BITOS, you work directly with someone who has spent two decades inside the open source ecosystem — building and leading OSPOs for European institutions, shaping governance frameworks, and advising organizations that cannot afford to get this wrong.
Governance, policy, security, and community
Architecture & governance for European public institutions
No vendor ties. No products. No divided loyalties. Ever.
Every engagement follows the same progression. The goal is always transfer — you end up owning the capability, not renting ours.
Map your complete open-source footprint. Surface what's exposed, what's untracked, what's urgent.
→ SBOM baseline + CVE exposure reportBuild the governance framework that fits your organization, your sector, and your regulators.
→ Policy framework + procurement controlsStand up the operating model. Embed controls into real workflows. Train your teams.
→ Working OSPO + team enablementHand over everything. Document everything. Walk away.
→ Full documentation + zero dependencyThree questions. One minute. An honest picture of where you stand on open-source governance and supply chain security.
The exposure is already sitting in your codebase — the real question is whether you find it before a regulator, an auditor, or an attacker does. We take on a small number of engagements at a time. If you need to move, start the conversation now.