TL;DR
OpenChain and Friends 2026 gathered around 200 practitioners across ten topic streams in Stuttgart from 24 to 26 March — the largest edition to date. The conversations that mattered most were about governance gaps, the Cyber Resilience Act, AI, and whether compliance is being treated as an operational discipline or a periodic exercise. SCANOSS attended with two live demos.
Open source supply chain compliance has been moving from a niche concern to a board-level conversation, and OpenChain and Friends 2026 reflected that shift directly. Ten parallel topic streams, three venues across Stuttgart and Ludwigsburg, and a participant roster spanning software developers, automotive engineers, OSPO leads, security professionals, and educators from across Europe and beyond.
The main hub was the Robert Bosch GmbH Service and Supply Chain Campus in Feuerbach, with satellite sessions at Mercedes-Benz Tech Innovation in Vaihingen and Bosch Digital in Ludwigsburg. The industrial setting was appropriate — several of the most substantive conversations touched directly on the automotive sector’s specific challenges with open source governance and software-defined vehicles.
SCANOSS was on the ground for the full event with two live demonstrations, engaging practitioners working through the same operational challenges the platform is built to address.
What did the keynotes actually argue?
The keynote programme set the tone well. Björn Schiessle of Nextcloud opened with a provocation — that digital sovereignty means eliminating dependencies, not managing them — and Dirk Targoni of Robert Bosch GmbH pushed back from the security side with a formulation that stayed with us: “Don’t avoid dependencies — master them: track everything, verify continuously, and enforce need-to-know. Open source isn’t the risk; opaque code is.” That tension between minimising exposure and maximising visibility is exactly the kind of productive disagreement this community benefits from, and it echoed through the Cybersecurity track for the rest of the event.
Closing the keynote programme, Mary Meixia Wang of the Linux Foundation OpenChain Project grounded the conversation in what the project is actually building towards: a global supply chain where open source is delivered with trusted, transparent, and consistent process management, anchored in standards like ISO/IEC 5230 and ISO/IEC 18974. Her observation that the community must also reckon with how open source and AI are reshaping modern business together set up three days of AI track sessions that never felt disconnected from the compliance conversation happening in the adjacent rooms.
What did the compliance track reveal about where organisations actually are?
Of all the sessions across three days, the one that stayed with us longest was Walt Miner’s “The Last Mile Problem: Turning Executive Support into Real Open Repo Contributions.” It caught our attention because it was honest in a way that conference not always are. The subject was Automotive Grade Linux, but the diagnosis applied well beyond it: the tools exist, the standards exist, and the will is often there at developer level — and still, contributions stall. Because leadership has not connected open source participation to business strategy. Without that connection, legal caution and competitive instinct fill the gap.
What we liked about it was the practical response. Rather than describing the problem and leaving it there, the AGL OSPO Expert Group built something concrete: an Executive Slide Deck, freely available for anyone to use, drawing on case studies from Honda, Toyota, Bosch, and others. It is a resource designed to have a specific conversation with a specific kind of audience. That kind of pragmatism is in short supply.
The wider point landed clearly. AGL has shown that direct competitors can collaborate on shared software — code from Toyota, Honda, Jaguar Land Rover, Daimler, and others now runs in millions of vehicles. The mechanism is structured, executive-backed governance.
What does the AI conversation add to the compliance picture?
The AI track introduced a variable that compliance teams cannot yet fully account for. Prof. Dr. Ingo Weber of the Fraunhofer Gesellschaft and TU Munich argued that openness in code, data, and governance is what allows organisations to understand whether AI systems can actually be made useful — and Dr. Ingo Simonis of the Open Geospatial Consortium extended that to trust: the most capable AI systems will emerge from open platforms where communities collaborate, share data, and validate solutions together. Both positions point to the same underlying problem. If AI-generated and AI-assisted code is entering codebases without systematic tracking, the SBOM challenge becomes harder.
It is a gap we are actively working on at SCANOSS. Tracking AI models as components, understanding their provenance, and surfacing that information in a form compliance and security teams can act on is a natural extension of what we already do for open source. Stuttgart reinforced that this concern is already present in their pipelines, and the governance is already lagging behind.
What do we take back from Stuttgart?
Three days, ten tracks, and a lot of conversations in hallways and over lunch tend to compress into a few clear impressions. Ours from Stuttgart are these.
The compliance gap is real, but it is not where most people think it is. The tools exist. The standards exist. What is missing, consistently, is the internal alignment to operationalise them.
Cryptographic visibility is moving from a niche concern to a compliance requirement, and most organisations do not yet have a clear picture of what cryptography is running in their codebases. That is precisely what Andrei’s Thursday demo addressed — and the interest it generated in the room confirmed that the question is live. The same applies to AI-generated code. Provenance tracking for AI models is not a solved problem, and the organisations that treat it as tomorrow’s concern are already behind.
We left Stuttgart with a clearer sense of where the friction is and, frankly, with renewed conviction that the work SCANOSS is doing is pointed at the right problems. If any of those are conversations your organisation is starting to have, we would be glad to be part of them. And if you missed Stuttgart this year, we would recommend making the trip in 2027. This community is worth being in the room for.