OCX 26
Compliance as Infrastructure
âThe test of a first-rate intelligence is the ability to hold two opposed ideas in the mind at the same time, and still retain the ability to function.â â F. Scott Fitzgerald
Note: This assessment is based on publicly available session recordings, verified repository materials, official conference documentation, and independent post-event coverage of OCX 2026. Two contributions â Eclipse S-COREâs ECU hardware demonstration [7] and the IPCEI-CIS data sovereignty design property [8] â remain at medium confidence pending individual session recording review; these are noted inline.
Introduction
Three US cloud platforms hold the majority of European enterprise infrastructure spend â not because of technical superiority alone, but because their dominance in developer tooling, AI inference endpoints, and software distribution channels creates switching costs that compound over time. In parallel, the EU Cyber Resilience Act â with enforcement beginning 2026-09-11 â and the AI Act impose documentation obligations that vendor attestations cannot satisfy:
provenance
vulnerability disclosure
evidence of secure process
accountability chains
The contributions emerging from OCX 2026 are not simply alternatives to the dominant platforms; they are responses to both the dependency problem and the compliance problem simultaneously.
The intersection of those two pressures is where the most structurally significant contributions live.
What Happened
The Open Community Experience (OCX) 2026 took place on 21â23 April 2026 at The EGG conference centre in Brussels, Belgium. The event was organized by the Eclipse Foundation, a not-for-profit foundation incorporated in Belgium with vendor-neutral governance in operation since 2004. The conference drew an estimated 150 sessions [Self-Reported: Eclipse Foundation, 2026-02-26] across six thematic tracks and five collocated communities covering software-defined vehicles, edge and cloud infrastructure, open source compliance, IoT, AI tooling, and research project governance. Source type: Event.
Three characteristics of OCX 2026 shaped what contributions were available and, equally, what was not.
First, the event is enterprise-oriented: the primary audience is industry engineers, working group participants, and compliance officers â not end-user communities or hardware hobbyists. This explains the Human Autonomy gap documented below.
Second, the CRAâs September 2026 enforcement deadline converted what had been speculative compliance conversations in prior years into operational planning sessions â multiple tracks addressed practical implementation of vulnerability disclosure, software stewardship, and evidence generation.
Third, the Software-Defined Vehicle track demonstrated a degree of cross-competitor collaboration â automakers sharing a common software middleware stack â that constitutes a structural shift in how open source contributions are organized in a historically proprietary sector.
The Analysis
Guided Insights
The four hola principles frame what follows:
Human Autonomy (tools and techniques people can use to inspect, modify, and operate systems they depend on)
Open Licensing (licensing and compliance approaches others can adopt)
Local Ownership (architectures that operate under local jurisdiction without centralized intermediaries)
Accountable Hands (governance patterns that make decision-makers identifiable and answerable)
Each section identifies contributions that practitioners, researchers, and organizations can learn from and apply. The assessment does not evaluate whether OCX 2026 was a good conference.
â Human Autonomy
Three contributions from OCX 2026 address the condition under which engineers and organizations can inspect, modify, and operate systems they depend on without mandatory dependency on proprietary platforms or cloud services. Evidence in this principle is thin, and the thinness is structural:
OCXâs enterprise focus means that end-user autonomy, hardware modification, and self-hosting for non-developers are absent from this harvest.
What survives selection are three developer-facing contributions that each demonstrate a specific, replicable form of local control.
Safety-certified open RTOS on commodity hardware: FrĂ©dĂ©ric Desbiens, project lead for Eclipse ThreadX, presented at OCX 2026 the case for ThreadX v6.5.0 [Operational:2026] as an open source alternative to proprietary RTOS platforms in regulated industries. ThreadX has been designed since 1997 for size, speed, and low-latency behavior, and carries safety certifications for automotive (ISO 26262), industrial (IEC 61508), and medical (IEC 62304) contexts. Full source is available at the Eclipse ThreadX repository, pinned at v6.5.0.202601_rel. The structural contribution is specific: safety-certified real-time operating systems have historically been proprietary, leaving organizations building into regulated sectors dependent on long-term vendor licensing. ThreadX provides an open source path with certification evidence already attached, shifting spend toward product engineering rather than ongoing software licensing. Desbiens described RISC-V adoption as accelerating alongside ThreadX â the combination of open processor designs and an open RTOS creates a more complete stack for organizations seeking hardware-layer autonomy [1][1b]. Transferability is medium: embedded C expertise and independent certification costs apply when reusing in a new product context.
Reproducible firmware deployment via bootable containers: Naci Dai, presenting for the Eclipse SDV working group, described converting an OCI container image from the Eclipse SDV Blueprint library into a bootable disk image using bootc [Operational:2025], then flashing it to an automotive-grade board. The workflow enables reproducible firmware updates with rollback capability, integrated into CI/CD pipelines via AutoSD (CentOS Automotive SIG). Engineers can inspect the full image composition, reproduce it independently, and roll back to prior states â addressing a persistent source of supply chain opacity: firmware builds that are manual, undocumented, and non-reproducible. The Eclipse SDV Automotive recap confirms this session was delivered at OCX 2026 [2][2b].
Open IDE agent framework with local deployment support: Jonas Helming of EclipseSource GmbH opened his session with âthis session isnât about slides, itâs about live demosâ and delivered exactly that â creating AI agents, configuring them, and making them work together directly inside the Eclipse Theia IDE [Operational:2026]. The session demonstrated AI agents that access local files and system services via the Model Context Protocol (MCP), an open standard for connecting agents to external systems. The Human Autonomy contribution is the framework architecture itself: Theia AI is designed to connect to any AI model â cloud-based, self-hosted, or fully local â without vendor lock-in, and its MCP integration pattern is replicable for developers building AI-assisted workflows in regulated or air-gapped environments where source code must not leave the local machine. Transferability is high for developers with sufficient local compute, and the open MCP standard means the pattern is not tied to any specific model provider [3].
Gap:
Human Autonomy contributions in this harvest are limited to developer tooling. No contributions addressing reverse engineering of proprietary systems, self-hosting guides for non-developers, hardware modification techniques, firmware liberation, or escape hatches from automation were identified. This reflects OCXâs enterprise audience â the conference does not attract content of this type â and should be treated as a consistent characteristic of this event rather than a one-edition anomaly. Organizations seeking contributions in these areas should consult practitioner events with broader end-user representation.
đïž Open Licensing
Three contributions from OCX 2026 address the legal and technical conditions under which software and compliance evidence can be adopted, modified, and distributed by others. Open Licensing is the best-evidenced principle in this harvest: all three contributions have verified repository access or documentation, and the governance patterns are documented enough to be replicated by other projects or foundations. Each contribution addresses a different layer of the licensing problem â marketplace governance, organizational policy, and regulated-industry compliance evidence.
Vendor-neutral extension marketplace governance: The Eclipse Foundation operates Open VSX [Operational:2020], a vendor-neutral registry for IDE extensions that surpassed 300 million monthly downloads in March 2026, with Google, AWS, Cursor, and GitPod among its enterprise customers. Extensions are published under OSI-approved licenses; the registryâs governance is documented through Eclipse Foundation processes. The structural contribution is the governance model: competing cloud providers participate in and contribute to the same extension ecosystem without any single vendor controlling distribution. This pattern â a neutral foundation as the enabling layer for cross-competitor collaboration â is replicable by any large IDE or platform ecosystem facing marketplace lock-in, and the March 2026 milestone demonstrates it operating at production scale [4].
Configuration-as-code for organizational governance: Lukas PĂŒhringer demonstrated Otterdog [Operational:2024], an Apache 2.0-licensed tool that defines GitHub organization settings â branch protection rules, repository secrets, webhooks, and team permissions â as Jsonnet configuration files. Every policy change is proposed and reviewed as a pull request, creating a Git-based audit trail. The Eclipse Foundation uses Otterdog across 1,000+ repositories. The licensing contribution is structural: by treating governance configuration as code under an open license, Otterdog makes the governance model itself inspectable, forkable, and independently deployable. Organizations can adopt the tool and its configuration patterns without vendor dependency [5].
Open compliance evidence framework for regulated industries: John Ellis of CodeThink presented the Trustable Software Framework (TSF), a structured approach to generating continuous, build-time evidence for regulatory compliance aligned with IEC 61508 and ISO 26262. The framework documentation is publicly accessible under open terms. TSF addresses a gap that open licensing alone cannot close: a project can be fully open source while remaining opaque about how it was built, tested, and verified. TSF provides the evidence layer that regulated-industry adopters require before they can act on open source licensing. The framework received a positive independent functional safety assessment from exida [Operational:2025] â completed October 2025, confirming that TSF meets or exceeds SIL 3 rigor under IEC 61508. The Efficiently Connected analysis of OCX 2026 confirms Ellis positioned TSF as a unifying operating model for managing safety, security, and compliance simultaneously â not as another standalone standard [6][6b].
đ Local Ownership
Three contributions from OCX 2026 address the conditions under which infrastructure and software can operate under the jurisdiction, governance, and physical control of those who depend on it. Local Ownership drew the largest preliminary candidate set in this harvest (9 candidates), and the three selected contributions represent its strongest evidence, particularly in the automotive and European edge infrastructure domains. All three are EU-scoped â a geographic limitation named explicitly below.
Shared automotive middleware reducing supplier lock-in: Eclipse S-CORE v0.6.0 [Experimental:2026] was presented at OCX 2026âs Open Community for Automotive, covering the shared non-differentiating software layer that multiple automakers can build on â communication middleware, service discovery, lifecycle management â under EPL-2.0. The Eclipse SDV Automotive recap by Sara Gallian, the track chair, confirms S-CORE featured in OCX sessions with a âcode-firstâ mandate and that âEclipse TSF and Eclipse SCORE process development are clear signsâ of the automotive open source ecosystemâs maturation toward series-production readiness [2b]. The Local Ownership contribution is structural: 31 automotive industry leaders signed a Software-Defined Vehicle Memorandum of Understanding [Self-Reported: VDA, 2025] committing to build on this shared stack, reducing proprietary supplier middleware dependency across the consortium. A manufacturer building on S-CORE retains the ability to switch suppliers for other components, inspect and modify the shared layer, and contribute improvements back. S-CORE has since released v0.7.0 [Operational:2026-05-12], confirming active trajectory toward the planned production-ready 1.0 [7][7b]. [Medium confidence: specific ECU hardware demonstration at OCX confirmed by track context; individual session recording not independently reviewed.]
Federated multi-operator edge with data sovereignty: Representatives from Deutsche Telekom, Orange, TelefĂłnica, TIM, and Vodafone demonstrated the IPCEI-CIS Federated Edge Cloud [Operational:2026, pre-production] â a single-entry-point platform for deploying applications across five independent European operator edge networks. Pre-production status confirmed from MWC 2026 coverage (February 2026); OCX 2026 (April) is consistent with this status. Data sovereignty is a confirmed architectural design property of the federation â workloads deployed to a given operatorâs node are designed to remain in that operatorâs jurisdiction â though this property has not yet been confirmed in production operation. The observable contribution is the architecture itself: cross-operator federation with data locality as a built-in design constraint, not a configuration option, without requiring a single controlling entity. Transferability is very low given carrier-grade infrastructure requirements; the governance and sovereignty model is what is potentially transferable [8]. [Medium confidence: data sovereignty as design property stated in pre-event documentation; individual session recording not independently reviewed.]
Composable deployment pipeline for cross-jurisdiction CI/CD: The Eclipse SDV working group demonstrated SDV Blueprints [Operational:2025] â composable, real-world automotive use cases (fleet management, insurance data spaces, companion applications) managed as OCI container images and deployable via bootc to automotive hardware. The pipeline runs in local CI/CD environments without external dependencies. Engineers can retrieve a Blueprint, inspect its full composition, modify it, and flash it to test hardware â a reproducible development environment that does not require cloud access or vendor tooling, supporting local control at the development stage as well as in production. The Eclipse SDV Blueprints site is verified and the E2E Demo Blueprint, released 2026-05-05, demonstrates continuing active development of the pattern [9].
Gap:
All three Local Ownership contributions are EU-scoped. No demonstrated patterns for operating under non-EU jurisdictions were identified in this harvest â no examples from North America, Asia, or the Global South. The federated edge and automotive middleware contributions address EU regulatory compliance explicitly and may require substantial adaptation before applying in other regulatory environments. Future harvests targeting non-EU Local Ownership contributions should prioritize different event types or regional practitioner sources.
â Accountable Hands
Three contributions from OCX 2026 address the conditions under which those who build and govern critical infrastructure can be identified, reached, and held answerable. The CRAâs September 2026 enforcement deadline gave this principle unusual urgency at OCX â accountability is no longer a governance aspiration but a legal requirement for products placed on the EU market. All three contributions address the operationalization of accountability: turning stated commitments into documented, auditable artifacts.
Evidence-based trust engineering: John Ellis of CodeThink presented the Trustable Software Framework (TSF) [Operational:2025] as an engineering model for making accountability measurable rather than declarative. TSFâs six-tenet structure â Provenance, Construction, Change, Expectations, Results, Confidence â generates continuous, auditable evidence during the build process itself. An independent functional safety assessment from exida, completed October 2025, confirmed that TSF meets or exceeds SIL 3 rigor under IEC 61508, with full alignment to ISO 26262 documented. TSF addresses the specific gap where a project can claim to follow safe development practices without generating evidence that external parties can verify: the exida validation transforms that claim into an externally auditable artifact. The Efficiently Connected analysis confirms Ellis described real certification work using a Linux-based distribution aligned to IEC 61508 through the TSF model â the framework is already being applied in practice, not proposed in theory [10][6b].
Auditable policy enforcement via version-controlled configuration: Lukas PĂŒhringer demonstrated Otterdog [Operational:2024] as an accountability mechanism â not just a governance tool. Because every change to organization policy is a pull request in a Git repository, the full history of who changed what, when, and why is permanently auditable. For organizations operating under CRAâs software stewardship requirements, Otterdog provides a replicable pattern for demonstrating that governance decisions were made deliberately, reviewed, and recorded. The Eclipse Foundationâs deployment across 1,000+ repositories is a documented operational example at scale that other organizations can examine and replicate [11].
Institutional framework for open source stewardship at regulatory scale: A keynote panel on the final day of OCX 2026 â âThe Cyber Resilience Act in Practice: One Regulation, Many Ecosystemsâ â brought together Lola FernĂĄndez, Maika Föhrenbach, Johan Klykens, Mike Milinkovich, and Juan Rico to address how the CRA is being implemented across different open source ecosystems [Operational:2026-09-11, upon enforcement]. The panel addressed the specific mechanisms by which open source foundations absorb CRA obligations: under CRA Article 17 (steward obligations) and Article 3(14) (steward definition), foundations like Eclipse can manage coordinated vulnerability disclosure, provide compliance attestations, and reduce the legal burden on individual maintainers who would otherwise face manufacturer-level obligations. The contribution is the governance model itself: a documented, replicable structure in which a neutral foundation absorbs regulatory compliance obligations on behalf of a project ecosystem. Transferability is procedural rather than technical, and depends on the existence of an equivalent neutral body in each adopting jurisdiction [12].
Entry Points
Otterdog repository â Apache 2.0 tool for configuration-as-code governance of GitHub organizations; best starting point for organizations managing large GitHub presences who need auditable, CRA-compatible policy enforcement. Verified. https://github.com/eclipse-csi/otterdog
SDV Blueprints site â Composable, deployable automotive use cases with full documentation; most direct entry for engineers building software-defined vehicle development environments without cloud dependencies. Verified.
https://sdv-blueprints.eclipse.dev/Eclipse ThreadX repository â Full source for the open RTOS including safety certification documentation links; starting point for engineers evaluating open source alternatives to proprietary RTOS in regulated environments. https://github.com/eclipse-threadx/threadx
In Closing
Our Take
This harvest is Moderate in density.
Open Licensing and Accountable Hands each yield three well-evidenced contributions with documented governance patterns and accessible repositories â TSF, confirmed by independent exida functional safety assessment in October 2025, is the strongest single contribution in this harvest, appearing in both principles.
Local Ownership is substantive but geographically constrained: all three contributions are EU-scoped, and two carry medium confidence pending individual recording review.
Human Autonomy is structurally sparse due to OCXâs enterprise orientation â three developer-facing contributions survive selection, none addressing end-user autonomy or hardware-level control. This is a consistent characteristic of this event type, not a gap that a different editorial approach would close.
The dominant finding type is Convergence + Consolidation.
These are two distinct structural patterns supported by separately grounded evidence.
Convergence is visible in the movement of previously experimental contributions toward operational viability: TSF received confirmed independent functional safety validation (October 2025), moving from a proposed engineering model to an externally auditable compliance artifact; Eclipse S-CORE progressed from v0.6.0 at OCX to v0.7.0 by May 2026, on a confirmed trajectory toward production-ready 1.0; and Theia AIâs open MCP framework, demonstrated live at OCX, represents local AI developer tooling crossing from research prototype to functional production workflow â now deployed in Samsung and STMicroelectronics products.
Consolidation is visible in the automotive and edge infrastructure sectors: 31 automotive industry leaders converging on the SDV shared middleware stack (S-CORE, bootc, AutoSD) rather than maintaining proprietary alternatives, and five major European operators demonstrating a unified federated edge architecture with a confirmed single-entry-point API surface.
The compound type is warranted because the evidence bases are distinct: Convergence by TSF maturation, S-CORE trajectory, and Theia AI production deployments; Consolidation by the SDV MoU coalition and IPCEI-CIS. TSF and Theia AI carry high confidence; S-CORE and IPCEI-CIS carry medium confidence pending recording review.
The central pattern across this harvest is that compliance is no longer being treated as a downstream legal layer applied to infrastructure after deployment; it is increasingly being embedded into the architecture, governance, and delivery mechanisms of the infrastructure itself.
TSF generates auditable safety evidence at build time. Otterdog makes governance configuration inspectable and version-controlled by design. The CRA stewardship model absorbs regulatory obligations at the foundation layer so individual projects do not have to. The SDV shared middleware stack and federated edge architecture are both structured to satisfy sovereignty and compliance requirements as architectural properties, not afterthoughts. This is what the title names: compliance becoming infrastructure.
References
HA - Human Autonomy
[1] Frédéric Desbiens, Eclipse Foundation (Project Lead, Eclipse ThreadX)
Eclipse ThreadX v6.5.0: Open RTOS with Safety Certifications for Regulated Industries. OCX 2026, Brussels, 2026-04-21. Repository: https://github.com/eclipse-threadx/threadx/releases/tag/v6.5.0.202601_rel [Status: Public; Verified: 2026-05-21] [Source Type: Event] [Claim Type: Operational]
đŻïž ThreadX v6.5.0 presented at OCX 2026 as a safety-certified open source RTOS covering RISC-V hardware targets â establishing a replicable alternative to proprietary RTOS platforms in automotive, industrial, and medical regulated sectors, where Human Autonomy has historically required purchasing a closed system with long-term licensing obligations.
[1b] Ally Gentry, Efficiently Connected
Eclipse ThreadX and RISC-V Advance the Open Embedded Stack. Efficiently Connected, 2026-04-28.
https://www.efficientlyconnected.com/open-source-supply-chain-sustainability-threadx-risc-v-ocx-2026/
[Status: Public; Verified: 2026-05-21] [Source Type: Publication] [Claim Type: Operational]
đŻïž Independent analyst coverage of Desbiensâ OCX 2026 presentation confirms the safety certification value proposition, the RISC-V hardware autonomy argument, and the long-lifecycle supply chain control claim â providing corroboration for the Human Autonomy principle assignment from outside the Eclipse Foundationâs own communications.
[2] Naci Dai, Eclipse SDV working group
Fifty Shades of SDV: A Blueprint-Driven Roadmap for Orchestration Adoption. OCX 2026, Brussels, 2026-04-21.
https://youtu.be/1BiE7fQv_pQ
[Status: Public; Verified: 2026-05-21] [Source Type: Event] [Claim Type: Technical]
đŻïž Demonstrated conversion of OCI container images into flashable automotive ECU disk images using bootc, enabling reproducible firmware updates with rollback â a replicable pattern for addressing the supply chain opacity created by manual, undocumented firmware build processes, and for maintaining local, inspectable control over embedded system state.
[3] Jonas Helming, EclipseSource GmbH (Principal Software Architect and CEO)
AI in Action: The Ultimate Live Demo with Theia AI. OCX 2026, Brussels, 2026-04-23.
https://www.youtube.com/watch?v=Hvn2EMv6xOE
[Status: Public; Verified: 2026-05-21 â session confirmed via Tooling recap and Thomas Fromentâs blog] [Source Type: Event] [Claim Type: Operational]
đŻïž Live demonstration of AI agents created and orchestrated inside the Eclipse Theia IDE using the open Model Context Protocol standard â a replicable framework for AI-assisted development that supports local, self-hosted, and air-gapped deployment without vendor lock-in to any specific model provider or cloud inference endpoint.
OL - Open Licensing
[4] Eclipse Foundation
Open VSX Registry: Vendor-Neutral Extension Marketplace Governance. OCX 2026, Brussels, 2026-04-21.
https://open-vsx.org/
[Status: Public; Verified: 2026-05-21] [Source Type: Event] [Claim Type: Procedural]
đŻïž Open VSX â surpassing 300 million monthly downloads in March 2026, with Google, AWS, Cursor, and GitPod as enterprise customers â provides a documented governance model for a vendor-neutral extension marketplace in which competing cloud providers co-participate without any controlling the distribution layer, replicable by any platform ecosystem seeking to avoid marketplace lock-in under OSI-approved licensing.
[5] Lukas PĂŒhringer, Eclipse Foundation
Otterdog: Configuration-as-Code for GitHub Organization Governance. OCX 2026, Brussels, 2026-04-22.
https://github.com/eclipse-csi/otterdog
[Status: Public; Verified: 2026-05-21] [Source Type: Event] [Claim Type: Technical]
đŻïž Otterdogâs Apache 2.0 codebase and Jsonnet-based configuration model makes organizational governance itself inspectable, forkable, and version-controlled â deployed across 1,000+ Eclipse Foundation repositories, providing a documented operational example of open licensing applied to governance infrastructure rather than just software.
[6] John Ellis, CodeThink
Trustable Software Framework: Open Compliance Evidence for Regulated Industries. OCX 2026, Brussels, 2026-04-22.
https://pages.eclipse.dev/eclipse/tsf/tsf/index.html
[Status: Public; Verified: 2026-05-21] [Source Type: Event] [Claim Type: Procedural]
đŻïž TSFâs publicly accessible framework documentation â confirmed by independent exida functional safety assessment (October 2025, SIL 3) â provides an open, replicable structure for generating compliance evidence under IEC 61508 and ISO 26262, closing the gap where open licensing alone does not satisfy regulated-industry adopters who require documented evidence of safe development process.
[6b] Ally Gentry, Efficiently Connected
CRA Compliance and Trustable Software: What OCX 2026 Revealed. Efficiently Connected, 2026-04-27.
https://www.efficientlyconnected.com/eu-cyber-resilience-act-compliance-ocx-2026/
[Status: Public; Verified: 2026-05-21] [Source Type: Publication] [Claim Type: Procedural]
đŻïž Independent analyst coverage confirms Ellis positioned TSF as a unifying operating model â not a standalone standard â and describes real certification work using a Linux-based distribution aligned to IEC 61508, providing corroboration that TSF is already applied in practice rather than proposed in theory.
LO - Local Ownership
[7] Eclipse SDV working group / Qorix
Eclipse S-CORE v0.6.0: Shared Automotive Middleware Under Open License. OCX 2026, Brussels, 2026-04-22. Repository: https://github.com/eclipse-score/score
[Status: Public; Verified: 2026-05-21 â session confirmed by Automotive recap; ECU demo at medium confidence] [Source Type: Event] [Claim Type: Technical]
đŻïž S-CORE v0.6.0 presented at OCX 2026 within the SDV automotive track â with 31 companies signed to the SDV MoU committing to the shared middleware stack â provides a replicable pattern for reducing automotive supplier lock-in through open middleware that multiple competing manufacturers can inspect, modify, and co-develop without any single vendor controlling the stack.
[7b] Eclipse SDV community
Eclipse S-CORE 0.7 is here! Eclipse SDV, 2026-05-12. https://eclipsesdv.org/news/eclipse-s-core-0-7-is-here/
[Status: Public; Verified: 2026-05-21] [Source Type: Corpus] [Claim Type: Technical]
đŻïž The S-CORE 0.7.0 release â three weeks after OCX 2026 â confirms the projectâs active development trajectory from the v0.6.0 demonstrated at OCX toward the planned production-ready 1.0, corroborating the Convergence finding type signal for automotive shared middleware.
[7c] Eclipse SDV community
Eclipse S-CORE: Open by choice. Safe by design. Driving automotive innovation together!
https://www.youtube.com/watch?v=EBaTffzXGlY
[Status: Public; Verified: 2026-05-21] [Source Type: Event] [Claim Type: Technical]
đŻïž Examines the development of a safety-focused open source middleware stack for software-defined vehicles â confirms the projectâs active development.
[8] Deutsche Telekom, Orange, TelefĂłnica, TIM, Vodafone
IPCEI-CIS Federated Edge Cloud: Cross-Operator Deployment with Data Sovereignty. OCX 2026, Brussels, 2026-04-23.
[Status: Public; Verified: MWC 2026 coverage confirmed pre-production status; Publication of the OCX session recording is pending] [Source Type: Event] [Claim Type: Operational]
đŻïž Five major European operators demonstrated a unified federated edge deployment platform at pre-production stage â with data sovereignty as a stated architectural design property â providing the first reported multi-operator architecture for data-sovereign edge infrastructure without a single controlling intermediary; data locality as enforced constraint awaits production confirmation.
[9] Eclipse SDV working group
SDV Blueprints: Composable Automotive Deployment via bootc and AutoSD. Eclipse SDV, 2025âpresent.
https://sdv-blueprints.eclipse.dev/
[Status: Public; Verified: 2026-05-21] [Source Type: Corpus] [Claim Type: Technical]
đŻïž SDV Blueprints provides composable, OCI-image-based automotive use cases deployable to local hardware via bootc â a replicable pipeline for automotive development that operates without cloud access, enabling engineers to inspect, modify, and reproduce the full vehicle software stack locally; E2E Demo Blueprint released 2026-05-05 confirms active development.
AH - Accountable Hands
[10] John Ellis, CodeThink
Trustable Software Framework: Evidence-Based Trust for Safety-Critical Systems. OCX 2026, Brussels, 2026-04-22.
https://pages.eclipse.dev/eclipse/tsf/tsf/index.html
[Status: Public; Verified: 2026-05-21] [Source Type: Event] [Claim Type: Procedural]
đŻïž TSFâs six-tenet model generates continuous, auditable build-time evidence for IEC 61508/ISO 26262 compliance â confirmed by independent exida functional safety assessment (October 2025, SIL 3) â providing a replicable pattern for converting accountability from a stated commitment into an externally verifiable artifact trail for safety-critical open source projects.
[11] Lukas PĂŒhringer, Eclipse Foundation
Otterdog: Auditable Policy Enforcement via Pull-Request Governance. OCX 2026, Brussels, 2026-04-22.
https://github.com/eclipse-csi/otterdog
[Status: Public; Verified: 2026-05-21] [Source Type: Event] [Claim Type: Procedural]
đŻïž Otterdogâs pull-request model for organizational policy creates a permanent, inspectable record of governance decisions across 1,000+ repositories â a replicable accountability pattern for CRA software stewardship compliance, demonstrating that every policy change was deliberate, reviewed, and attributable.
[12] Lola Fernåndez, Maika Föhrenbach, Johan Klykens, Mike Milinkovich, Juan Rico
The Cyber Resilience Act in Practice: One Regulation, Many Ecosystems. OCX 2026 Keynote Panel, Brussels, 2026-04-23.
https://youtu.be/qcGeP9Erqms
[Status: Public; Verified: 2026-05-21] [Source Type: Event] [Claim Type: Procedural]
đŻïž Five-speaker keynote panel confirmed the Eclipse Foundationâs stewardship model under CRA Article 17 (steward obligations) and Article 3(14) (steward definition) as a replicable institutional pattern for foundations absorbing manufacturer-level CRA compliance obligations on behalf of maintainers â with enforcement beginning 2026-09-11.
Supplementary References
[13] Sara Gallian, Eclipse SDV
Open Community for Automotive at OCX26: A Recap. Eclipse SDV, 2026-05-05.
https://eclipsesdv.org/blogs/open-community-for-automotive-at-ocx26-a-recap/
[Status: Public; Verified: 2026-05-21] [Source Type: Publication] [Claim Type: Operational]
đŻïž Track chair recap of the Open Community for Automotive at OCX 2026 â confirming S-CORE, TSF, and SDV Blueprints as central contributions to the track â provides independent corroboration of the automotive contributions in this harvest and confirms the recording URL for [2].
[14] Daniela Nastase, Eclipse Foundation
Keynote Highlights at OCX26. Eclipse Foundation Blog, 2026-04-29. https://blogs.eclipse.org/post/daniela-nastase/keynote-highlights-ocx26
[Status: Public; Verified: 2026-05-21] [Source Type: Publication] [Claim Type: Contextual]
đŻïž Official Eclipse Foundation keynote recap confirms the full speaker lineup and recording URLs for all eight keynote sessions at OCX 2026, including the CRA panel [12] â establishing the primary source basis for Accountable Hands contextual claims and confirming the digital sovereignty and regulatory themes as the dominant keynote frame.
[15] European Parliament and Council of the European Union
Regulation (EU) 2024/2847 â Cyber Resilience Act. Official Journal of the European Union, 2024-10-23.
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L_202402847 [Status: Public; Verified: 2026-05-21] [Source Type: Policy Development] [Claim Type: Contextual]
đŻïž The CRAâs Article 17 (steward obligations), Article 3(14) (steward definition), and the 2026-09-11 enforcement date are the regulatory context that transforms accountability contributions in this harvest from governance aspirations into legal compliance requirements â directly conditioning the urgency of all Accountable Hands contributions.
[16] bootc project contributors
bootc: Bootable OCI container tooling. GitHub, 2023âpresent. https://github.com/containers/bootc
[Status: Public; Verified: 2026-05-21] [Source Type: Corpus] [Claim Type: Technical]
đŻïž The bootc repository and documentation establish the technical foundation for the firmware reproducibility and SDV deployment pipeline contributions in this harvest â providing the independently verifiable source base against which operational claims about container-to-disk-image conversion and rollback capability can be assessed.
[17] Eclipse Foundation
Eclipse Foundation Bylaws and Governance Documentation. Eclipse Foundation, 2004âpresent.
https://www.eclipse.org/org/documents/
[Status: Public; Verified: 2026-05-21] [Source Type: Corpus] [Claim Type: Procedural]
đŻïž The Eclipse Foundationâs documented vendor-neutral governance framework â the institutional substrate enabling cross-competitor collaboration in Open VSX, Otterdog, S-CORE, and the CRA stewardship model â provides the legal and procedural context for assessing transferability of the governance patterns identified in this harvest.
[18] Natalia Loungou, Eclipse Foundation
Eclipse Foundation Unveils Full Agenda for OCX 2026. Eclipse Foundation Newsroom, 2026-02-26.
https://newsroom.eclipse.org/news/announcements/eclipse-foundation-unveils-full-agenda-ocx-2026
[Status: Public; Verified: 2026-05-21] [Source Type: Publication] [Claim Type: Contextual]
đŻïž The official OCX 2026 agenda announcement confirms the ~150-session scale, the five collocated communities, and the full speaker lineup including Helming, Dai/Kral, and Buscombe â providing the authoritative source for the What Happened section scale claims and the framing note context.
[19] Open Source Initiative
The Open Source Definition. Open Source Initiative, 1997âpresent.
https://opensource.org/osd
[Status: Public; Verified: 2026-05-21] [Source Type: Corpus] [Claim Type: Contextual]
đŻïž The OSI Open Source Definition provides the normative reference for âOSI-approved licenseâ claims in the Open Licensing section â the standard against which Open VSX, Otterdog (Apache 2.0), S-CORE (EPL-2.0), and ThreadX licensing claims are assessed.
[20] Eclipse Foundation
Open VSX Registry Surpasses 300 Million Monthly Downloads. Eclipse Foundation Newsroom, 2026-03-03.
https://newsroom.eclipse.org/news/announcements/open-vsx-registry-surpasses-300-million-monthly-downloads
[Status: Public; Verified: 2026-05-21] [Source Type: Publication] [Claim Type: Operational]
đŻïž The March 2026 milestone announcement confirms Open VSX operating at production scale with named enterprise adopters â providing the operational evidence that upgrades the Open VSX governance contribution from a governance model to a governance model demonstrated at scale.
Methodological Appendix
This assessment harvests contributions from OCX 2026 â a European enterprise open source conference organized by the Eclipse Foundation â that advance four directions: Human Autonomy, Open Licensing, Local Ownership, and Accountable Hands. We harvest contributions, not judge sources â OCX 2026 is an input, not a subject.
Contested status is warranted by two independently load-bearing empirical fragilities: the ECU hardware demonstration claim for S-CORE [7] and the data sovereignty as enforced design property claim for IPCEI-CIS [8], both of which are stated in pre-event and secondary documentation but not yet confirmed via individual session recording review.
Geographic scope is European, with a strong EU regulatory focus â non-EU jurisdictions are absent from this harvest.
Finding type is Convergence + Consolidation, confidence Medium-High (TSF and Theia AI legs High; S-CORE and IPCEI-CIS legs Medium). Harvest density is Moderate. Self-reported data is tagged accordingly.
The Eclipse Foundation organized the event and is also the subject of several contributions; all contributions are assessed on their demonstrated evidence, not their organizational affiliation.
AI Role
AI was used in this assessment for four tasks: Report formatting and context declaration drafting; narrative draft writing across all principle sections; gap identification cross-checked against the initial research; and reference list formatting and URL verification support. All contribution descriptions were reviewed against source documents and post-event coverage. AI was not used to assess documentation quality or draw analytical conclusions. Contribution selection, quality judgments, finding type reasoning, register discipline, and analytical record entry creation are human editorial decisions.
Assessment written 4 weeks post-event, based on materials available at https://www.ocxconf.org/event/2026/summary and post-event coverage as of 2026-05-21.
Source type: Event.
Analytical date: 2026-05-21.



